Skip to content

Latest commit

 

History

History
65 lines (40 loc) · 5.28 KB

README.md

File metadata and controls

65 lines (40 loc) · 5.28 KB

DependGuard: Secure Your GitHub Projects with Comprehensive Dependency Analysis and Community Insights

DependGuard is a powerful tool designed to enhance the security of your GitHub projects by going beyond just analyzing dependencies. We provide valuable insights into the community health and activity behind your dependencies, giving you a holistic view of your project's security posture.

Our Mission: To improve the usability and user experience involved with Open Source Software (OSS) by addressing critical cybersecurity flaws and promoting transparency within the OSS community.

The Problem

Many open-source projects face a significant challenge: due to their non-profit nature, they may lack sufficient community support and resources. This can lead to the use of outdated packages and vulnerabilities that go unnoticed, especially in transitive dependencies (dependencies of dependencies).

DependGuard tackles this issue head-on by providing a comprehensive solution that analyzes not only the code but also the team behind the code. We assess the community health of your dependencies using the CHAOSS metrics:

  • Strategy: How well-defined is the project's roadmap and vision?
  • Governance: Are there clear decision-making processes and contribution guidelines?
  • Community: How active and engaged is the community?
  • Compliance/Security: Does the project have security policies and practices in place?

By evaluating these metrics, DependGuard helps you identify dependencies that might be at risk due to low community activity or poor security practices.

Features

  • Dependency Analysis: DependGuard thoroughly examines your project's dependencies, identifying potential security vulnerabilities and outdated packages.
  • Security Insights: Receive detailed reports on vulnerabilities found in your project's dependencies, along with recommendations for remediation and available fixes.
  • Community Health Assessment: DependGuard analyzes the community behind each dependency using the CHAOSS metrics, providing insights into the project's activity, governance, and security practices.
  • Ease-of-Use: Our user-friendly web interface makes it easy to analyze your projects. Simply provide a GitHub link or upload a dependency file, and DependGuard does the rest.
  • Privacy: We value your privacy. No user data is collected, and the entire project is open-source. You don't need to install anything on your device.
  • Universality: DependGuard supports input via GitHub links or various file formats like requirements.txt. It leverages multiple APIs and databases to provide comprehensive coverage.

How We Are Unique

DependGuard goes beyond traditional dependency analysis tools by incorporating community health assessment. This unique approach provides a more holistic view of your project's security posture, allowing you to make informed decisions about the dependencies you use.

Steps to Use DependGuard

  1. Access the Webpage: Visit the DependGuard website.
  2. Provide Project Information: Upload a GitHub link or a dependency file (e.g., requirements.txt).
  3. Submit for Processing: Click the submit button to initiate the analysis.
  4. Review Results and Take Action: DependGuard will present you with a detailed report on your project's dependencies, including vulnerabilities, community scores based on CHAOSS metrics, and recommendations for remediation. Take the necessary steps to address any identified issues.

Troubleshooting Guidance

  • API Rate Limits: If you encounter rate limit errors, DependGuard will automatically switch to a different API key. However, if all keys are exhausted, you may need to wait before retrying.
  • Missing Information: In some cases, DependGuard may not be able to retrieve all information about a dependency. This could be due to limitations in the underlying APIs or databases.
  • Incorrect Results: If you believe the results are inaccurate, please double-check the provided project information and consider reporting the issue to the DependGuard team.

Contributing

DependGuard is an open-source project, and we welcome contributions from the community. If you'd like to get involved, please reach out to us via that contanct information on our team's website.

Meet The Team

Left Most - Priansh Mittra, Database manager and backend engineer

Second to Leftmost - Sebastian Alexis, Research director and backend engineer

Second to Rightmost - Aryan Jain, Pitch head and frontend engineer

Rightmost - Andy Zhang, Media coordinator and frontend engineer

Contact

For any questions or feedback, feel free to reach out to the DependGuard team through our GitHub repository or the contact information on our team's website.

We hope DependGuard empowers you to build more secure and reliable OSS projects!