Stop using pip install... at least not directly. Secure your Python supply chain with pipq.

We all love Python for its simplicity and amazing ecosystem. But let's be honest: how many times have you typed pip install <new_package> crossing your fingers, hoping it's not one of those malicious packages you read about in the news?

The pip install command is a direct gateway to your system. A simple typo (typosquatting like requests instead of requests) or a compromised legitimate package can introduce malware, steal your environment variables, or leak your SSH keys. This is the heart of a software supply chain attack, and it's a growing problem.

As a developer, this worried me. Why is the installation process a security blind spot?

That's why I created pipq: a security proxy for pip that analyzes Python packages before they reach your system.

What is pipq?

pipq acts as an intelligent security guard between you and PyPI. Instead of running pip install, you run pipq install.

pipq intercepts that request and, before installing anything, runs a series of comprehensive security validations. It gives you a clear report and makes a decision based on your configuration: block, warn, or install silently.

It's the same ease of use as pip, but with a security brain built-in.

Key Features: The pipq Security Arsenal

pipq isn't just one check. It's a suite of deep analysis tools designed to catch a wide range of threats:

• Typosquatting Detection: Identifies packages with names dangerously similar to popular ones to catch malicious imitations.
• Static Code Analysis: This is a crucial one! pipq downloads the package and scans the source code for dangerous patterns (like eval(), exec(), or obfuscated code) without ever executing it.
• Known Vulnerability Scanning: Integrates with databases like OSV to check if the package or its dependencies have reported CVEs.
• Malware Scanning (with VirusTotal): If you have an API key (even the free one works!), pipq can submit file hashes to VirusTotal for top-tier malware analysis.
• Package Age Validation: A critical package was created 3 hours ago? pipq will flag it. Brand-new packages can be a strong indicator of an attack.
• Maintainer Analysis: Does the package have a single maintainer? Does their profile look suspicious? pipq gives you that context.
• Integrity & Provenance Validation: Ensures SHA256 hashes match and that the package follows modern standards (like using pyproject.toml).

Get Started in 60 Seconds

Enough talk. Let's put it to work.

1. Installation

The installation uses pip (ironically, for the last time unsafely!). The package is named pypipq:

pip install pypipq

2. Usage (It's this easy!)

Now, just replace pip with pipq for your installations:

# Instead of: pip install requests
pipq install requests

pipq will analyze requests and its dependencies. If everything looks good (as it should for requests), it will proceed with the pip installation.

If something is suspicious, you'll see a clear warning in your terminal, and the default (warn) mode will ask you if you want to proceed.

The Real Power: Audit, Check, and More

pipq isn't just for installation. It's a Swiss Army knife for your Python environment's security.

Analyze a package without installing

Curious about a package but don't want to install it? Use pipq check:

# Deeply analyze 'numpy'
pipq check numpy --deep

# You can even get the output in JSON or Markdown
pipq check flask --json

Audit your current environment

What vulnerabilities do you have right now in your venv? pipq audit scans all your installed packages.

# Run a full security audit
pipq audit

# Generate a JSON report for your CI/CD pipeline
pipq audit --json > audit_report.json

Get a security profile

Want the full scoop on a package? pipq info gives you a "report card" with a security grade (A-F), license, maintainers, and more.

pipq info django

Other helpful commands:

• pipq list: Like pip list, but with security status.
• pipq upgrade: Securely upgrade your packages.
• pipq search: Search for packages and see their security scores.

Configuration: Make It Your Own

pipq is fully configurable via a TOML file (~/.config/pipq/config.toml).

Here you can change the operating mode:

• mode = "warn" (Default): Asks you before installing anything risky.
• mode = "block": Paranoid but safe. Blocks anything that fails a validation.
• mode = "silent": Just installs, but still logs any issues.

You can also disable specific validators or add your API keys (like VirusTotal) to supercharge the scans.

# Example ~/.config/pipq/config.toml
mode = "block"
timeout = 30
disable_validators = ["age"] # I don't care about package age

[api_keys]
virustotal = "your_free_virustotal_api_key"

A Note on Status

pipq is a project I'm actively working on and should be considered experimental. It's functional, but there may be bugs. Feedback and contributions are more than welcome!

Conclusion: Secure Your Supply Chain

Software supply chain security is no longer just a "big enterprise" problem. It affects every developer, from hobby projects to production systems.

Tools like pipq aim to close the gap, giving you the power of pip with the peace of mind of robust, automatic security analysis. You no longer have to choose between speed and safety.

Your Turn!

Are you ready to stop installing packages blind?

1. Try pipq: pip install pypipq
2. Visit the Repo: github.com/livrasand/pipq
3. Give it a Star: If you find the project useful, a star on GitHub would help me immensely in getting the word out!
4. Leave a comment: What feature do you like most? What other PyPI security threat worries you?

Thanks for reading, and stay safe out there!