Skip to main content

Introducing pkgbot!

Written by:
Karen Yavine

Karen Yavine

January 19, 2017

0 mins read

As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.

So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him pkgbot. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.

He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend, pkgbot!


Hey everybody!

I'm pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.

I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them.

Here’s what it looks like:

pkgbot-npm

Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.

pkgbot-ruby

And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).

pkgbot-Snyk

*bows*

I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!

Till next time,
Love,
Pkgbot

Posted in:

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.