Package Feeds – Open Source Security Foundation

The Package Feeds is a feed parsing for language package manager updates.

The binary produced by cmd/scheduled-feed/main.go can be used to monitor various package repositories for changes and publish data to external services for further processing.

Additionally, the repo contains a few subprojects to aid in the analysis of these open source packages, in particular to look for malicious software.

These are:

Feeds to watch package registries (PyPI, NPM, etc.) for changes to packages and to make that data available via a single standard interface.
Publisher provides the functionality to push package details from feeds towards external services such as GCP Pub/Sub. Package details are formatted inline with a versioned json-schema.
This repo used to contain several other projects, which have since been split out into github.com/ossf/package-analysis.

The goal is for all of these components to work together and provide extensible, community-run infrastructure to study behavior of open source packages and to look for malicious software. We also hope that the components can be used independently, to provide package feeds or runtime behavior data for anyone interested.

GitHub

Copyright © 2024 The Linux Foundation® . All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page. Linux is a registered trademark of Linus Torvalds. Privacy Policy and Terms of Use.

Subscribe to the OpenSSF Newsletter!

Get the latest announcements, event info, and the community news in your inbox