nuclear-treestump/pydepgate

PyDepGate is one of the more interesting security tools I’ve looked at in this batch. It has a very specific threat model: Python code that can execute before a user’s script really starts, especially .pth files, sitecustomize.py, usercustomize.py, package init.py, setup.py, and generated console entry points. That focus is valuable because it is different from the usual “known vulnerable dependency” or generic static-analysis story. The README makes the problem concrete and explains why startup vectors are dangerous instead of assuming the reader already knows.

The project is surprisingly mature for a repo with only a handful of stars. It has 200+ commits, PyPI packaging, Docker publishing, Apache-2.0 licensing, a security policy, contributing docs, a roadmap, CodeQL, unit-test workflows, SARIF validation, and a structured src/pydepgate package layout. The README is detailed without being vague: it covers wheel/sdist/package/file scanning, --single, --peek, recursive decoded-payload scanning, CI mode, custom rules, SARIF output, exit codes, Docker usage, pre-commit hooks, and a clear analyzer pipeline.

The design choices are strong. Zero runtime dependencies makes sense for a supply-chain defense tool, and the project is explicit about never executing, compiling, importing, or deserializing inspected input. The analyzer set also feels thoughtful: encoding abuse, dynamic execution, obfuscated strings, suspicious stdlib usage, and density-style signals. The rules engine is a good touch because it lets the same raw signal mean different things depending on context; a base64 blob in a normal library file is not the same risk as one in a .pth file.

The main concern is trust calibration. Security tools need adoption, peer review, and careful false-positive reporting, and this project is still very small publicly: around 5 stars, no forks, and no open issues at the time I checked. I would add a short “known limitations” section near the top, publish a few real-world case studies, and include benchmark/false-positive results against a representative PyPI sample. The latest release, v0.4.7 on May 24, 2026, also appears ahead of the pyproject.toml version shown on main as 0.4.5, so keeping version metadata visibly in sync would avoid confusion.

Overall, PyDepGate looks technically serious and unusually well documented. It is still early from an ecosystem-trust perspective, but the threat model is sharp, the safety posture is sensible, and the CI/SARIF/Docker/PyPI integrations make it practical enough for security-minded Python teams to experiment with.