// pypi 패키지

pipeline-check

CI/CD Security Posture Scanner — scores AWS, Terraform, CloudFormation, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines, Jenkins, CircleCI, Google Cloud Build, Buildkite, Drone CI, Tekton, Argo Workflows, Dockerfile, Kubernetes manifests, Helm charts, OCI image manifests, SCM repo posture (GitHub / GitLab / Bitbucket), npm and pypi dependency files against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks

pypi.org tarball repo

주간

431

월간

1,222

버전

메인테이너

최초 publish

2026-04-20

publisher

Daniel Martin

tarball

1,741,700 B

AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-05-19

// exfil path

what is read → where it ships

steals

● GitHub PAT
● GitLab PAT
● AI API keys
● npm token
○ home dir
○ clipboard
○ shell history

sends to

⚙ reverse shell(fetches + executes remote payload)

// offending code· @1.1.0· 3 files flagged

llm: malicious · 0.96

→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.

@1.1.0·2026-05-19·AUTO-PUBLISHED·publisher: Daniel Martin
heuristic 35/100
static flags 22
llm malicious (0.96) via fast-track
pypi-sdist-setup-pynew-publisher:0dmature-packagepy-pip-install-runtimereads-github-tokensreads-gitlab-tokensreads-ai-api-keysreads-env-varsreads-homedirchild-process-spawnpy-sys-platform-branchpy-urllib-requestpublic-github-pushclipboard-accessreads-npmrccurl-pipe-bash-unverifiedbun-runtime-bootstrap

--- pipeline_check-1.1.0/pipeline_check/__init__.py (excerpt) --- """pipeline-check. CI/CD security posture scanner. This module re-exports the small, stable surface library callers can rely on. Anything not listed in ``__all__`` is internal and may move between releases without notice. Example ------- from pipeline_check import Scanner, Severity, score scanner = Scanner(pipeline="github", gha_path=".github/workflows") findings = scanner.run() critical = [f for f in findings if not f.passed and f.severity is Severity.CRITICAL] result = score(findings) print(f"score={result['score']} grade={result['grade']}") The CLI entry point is :func:`pipeline_check.cli.main`; the AWS Lambda entry point is :func:`pipeline_check.lambda_handler.handler`. Both of those drive the same :class:`Scanner` you see above. """ # Single source of truth for the package version. The release script # (see CLAUDE.md) bumps this literal alongside ``[project] version`` # in ``pyproject.toml`` and the ``vX.Y.Z`` git tag. We deliberately do # NOT read ``importlib.metadata.version("pipeline_check")``: the # installed dist-info goes stale on editable installs whenever # someone bumps the version without re-running ``pip install -e .``, # producing a misleading ``--version`` for contributors. __version__ = "1.1.0" # ── Public API surface ───────────────────────────────────────────── # # Re-exports below are versioned: types and functions named in # ``__all__`` keep their import path stable across minor releases. # Anything reached via deeper paths --- pipeline_check-1.1.0/pipeline_check/cli.py (excerpt) --- """CLI entry point. Usage ----- pipeline_check [OPTIONS] pipeline_check init [--path PATH] [--force] Examples -------- # Auto-detect every supported provider in cwd and scan each. # Single match = single-provider scan; multiple matches = automatic # multi-provider run with cross-provider chain correlation. pipeline_check # Scaffold a starter config file pre-filled from cwd. pipeline_check init # Short flags work for the most-typed options. pipeline_check -p github -o json -c GHA-001 -f HIGH # Scan a live AWS account. pipeline_check --pipeline aws --region eu-west-1 --output both --severity-threshold HIGH # Run specific checks only. pipeline_check --pipeline aws --checks CB-001 --checks CB-003 # Scan a Terraform plan, no AWS credentials needed. pipeline_check --pipeline terraform --tf-plan plan.json # Annotate findings with a single standard, or list registered standards. pipeline_check --standard owasp_cicd_top_10 pipeline_check --list-standards # Print version and exit. pipeline_check --version Exit codes ---------- 0 Gate passed 1 Gate failed (default gate: any CRITICAL finding in the effective set) 2 Scanner failure (e.g. AWS API error) Provider-path flags (``--tf-plan``, ``--gha-path``, ``--gitlab-path``, ``--bitbucket-path``) are validated eagerly; the latter three also auto-detect their canonical file at cwd when omitted. Missing flag plus missing canonical f --- pipeline_check-1.1.0/pipeline_check/lambda_handler.py (excerpt) --- """AWS Lambda entry point. Wraps the ``Scanner`` + ``score`` + ``report_json`` pipeline so the same scan logic runs from CLI and Lambda without duplication. Environment variables --------------------- PIPELINE_CHECK_RESULTS_BUCKET S3 bucket where JSON reports are stored. Reports are written to: ``reports/<timestamp>/pipeline_check-report.json`` If unset, the report is not persisted to S3 and ``report_s3_key`` is ``null`` in the return payload. PIPELINE_CHECK_SNS_TOPIC_ARN SNS topic ARN to notify when CRITICAL findings are detected. If unset, no SNS alert is sent. When set *and* CRITICAL findings exist, one message is published per invocation listing each critical finding and linking to the S3 report (if persisted). Event payload (optional) ------------------------ { "region": "eu-west-1" // single-region scan (legacy shape) } // Fan-out shape: { "regions": ["us-east-1", "eu-west-1"], "providers": ["aws"] // defaults to ["aws"] if omitted } Return value ------------ // Single-scan shape (legacy path, one region, one provider): { "statusCode": 200, "grade": "B", "score": 78, ... } // Fan-out shape: { "statusCode": 200, "scans": [ {region, provider, grade, score, ...}, ... ], "worst_grade": "D", "total_critical_failures": 3 } Failure handling ---------------- - S3 ``put_object`` failures are logged