This small repo is meant to scan Github's repositories for potential Dependency confusion vulnerabilities.
It scans for packages in:
- Nuget
- *.csproj
- packages.config
- Maven
- *pom.xml
- build.gradle
- Packagist
- composer.lock
- composer.json
- Pypi
- requirements.txt
- NPM
- package-lock.json
- package.json
Simply fetches the relevant files for each package manager, parse it, and check if the package exists publicly.
Additionally, it will warn if a detected public package includes 999 or 9.9.9 in the package version (for already exploited dependency confusion)
Create a github_access_token file and add you Github's api token to it (this way it could also have access to private repos).
In order to run the script simply state an organization and scan all the repos in it (with option to exclude_repos)
scanner = OrganizationScanner("SonarSource")
scanner.scan_all_repos()Or scan a specific repo
scanner = OrganizationScanner()
scanner.scan_repo("ndleah/python-mini-project")