Snyk Blog

Introducing pkgbot!

Escrito por:
Karen Yavine
Karen Yavine

19 de janeiro de 2017

0 minutos de leitura

As a security analyst at Snyk, I spend a ton of time digging around code repositories and package managers to be able to understand how serious a vulnerability is. I need to know what type of vulnerability is at hand and how popular of a package I’m dealing with, so I can calculate how much time and effort I should spend on researching a vulnerability. A package with 50 million downloads a month and a package with 150 downloads a month shouldn’t have the same amount of effort channeled into research.

So instead of having 500 tabs open, trying to get a grasp of what I’m dealing with, I created a new friend. We call him pkgbot. I just couldn’t keep him all to myself though. He’s pretty helpful, and I find myself using him at least once a day. So we decided to open source him for everyone to use, edit and share their thoughts on what to improve.

He’s funny, he’s witty, and there is no one like him, give a round of applause to my friend, pkgbot!

Hey everybody!

I'm pkgbot. Nice to meet you. My purpose is almost as simple as this, but instead of butter, I get you all that lovely information you needed. From the description of the package to the number of downloads and even the number of vulnerabilities it and its dependencies have. I love my job, really I do.

I was born as a CLI tool written by Karen Yavine and Alon Niv, used by the Snyk Security Team while researching and adding vulnerabilities to their Vulnerability DB. All I needed was the npm package name, and I was a go! Like a knight fighting a forest of thorns, I fought my way through the network. I found the trail that led me straight to where I was going, npm API! And what a lovely place that is. I started collecting treasures for my beloved Snyk Security Team. That first time was rough, but ever since I’ve been happily collecting these treasures for them.

Here’s what it looks like:

pkgbot-npm

Eventually, we added Ruby support! This was fun, as the skills I acquired for npm helped me on my journey. I happily went to and from the RubyGems API as well.

pkgbot-ruby

And now, my friends, I’m here for you. Willing to go as far as the dependency sea and the vulnerability valley to show you all the vulnerabilities a package has, without you having to lift a finger. Well, besides going to Slack (But let’s be honest, you’re probably there right now talking about how awesome I am).

pkgbot-Snyk

*bows*

I’m not perfect, but I’m improving all the time and I’d appreciate it if you contributed to building me into a better, smarter, me!

Till next time,
Love,
Pkgbot

Publicado em:Engenharia

Quer experimentar?

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.

Agende uma demonstração ao vivo

Snyk é uma plataforma de segurança para desenvolvedores. Integrando-se diretamente a ferramentas de desenvolvimento, fluxos de trabalhos e pipelines de automação, a Snyk possibilita que as equipes encontrem, priorizem e corrijam mais facilmente vulnerabilidades em códigos, dependências, contêineres e infraestrutura como código. Com o suporte do melhor aplicativo do setor e inteligência em segurança, a Snyk coloca a experiência em segurança no kit de ferramentas de todo desenvolvedor.

Comece grátisAgende uma demonstração ao vivo

Produto

O que é a Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerInfraestrutura como Código da SnykSnyk AppRisk (ASPM)Plataforma de Segurança para o DesenvolvedorSegurança de aplicativosSegurança da cadeia de suprimentos de softwareProteja o código gerado por IA DeepCode AIPreçosOpções de implantaçãoIntegraçõesPlugins de IDESegurança GitSegurança de pipelines de CI/CDSnyk CLISnyk LearnSnyk para JavaScript

Recursos

DocumentaçãoDocumentação da API da SnykStatus APIVulnerabilidades reveladasPortal de suporte e perguntas frequentesBlogElementos básicos da segurançaRecursos para líderes de segurançaRecursos para hackers éticosBanco de dados de vulnerabilidadesSnyk OSS AdvisorSnyk Top 10VídeosRecursos do clienteSecurity LabsThe Secure Developer Podcast

Empresa

SobreClientesCarreirasEventosSnyk para governoSegurança e confiançaTermos jurídicosPrivacidadePara os residentes na Califórnia: Não vender minhas informações pessoaisTermos de uso do siteProcurement

Conecte-se

Agende uma demonstração ao vivoFale conoscoSuporteRelatar nova vulnerabilidade

Segurança

Segurança de aplicativosSegurança de contêineresSegurança da cadeia de suprimentosSegurança JavaScriptSegurança de código abertoSegurança AWSSDLC protegidoPostura de segurançaCódigo protegidoHacking éticoIA em cibersegurançaVerificador de códigoPythonCibersegurança para grandes empresasJavaScriptSnyk com GitHubSnyk vs VeracodeSnyk vs. CheckmarxSnyk vs Synopsys

© 2024 Snyk Limited
Registrada na Inglaterra e País de Gales

logo-devseccon