github.com/google/capslock@v0.2.3-0.20240517042941-dac19fc347c0/README.md (about)

     1  ![capslock](docs/capslock-banner.png)
     2  
     3  Capslock is a capability analysis CLI for Go packages that informs users of
     4  which privileged operations a given package can access. This works by
     5  classifying the **capabilities** of Go packages by following transitive calls to privileged
     6  standard library operations.
     7  
     8  The recent increase in supply chain attacks targeting open source software
     9  has highlighted that third party dependencies should not be inherently trusted.
    10  Capabilities indicate what permissions a package has access to, and can be used
    11  in conjunction with other security signals to indicate which code requires
    12  additional scrutiny before it can be considered trusted.
    13  
    14  ## What are capabilities?
    15  
    16  Current security analysis focuses a lot on identifying vulnerabilities in
    17  packages -- an important goal given the rate of new CVEs being identified.
    18  To complement this analysis, we are alerting on the capabilities of packages,
    19  meaning that we are identifying what permissions the package has access to via
    20  its transitive dependencies on standard library functions with privileged
    21  accesses.
    22  
    23  This has many potential applications, from identifying the purpose of packages
    24  by looking at what capabilities they use, to directing security reviews to more
    25  privileged code paths, and even alerting on unexpected capability changes to
    26  stop potential supply chain threats before they can become an issue.
    27  
    28  This is motivated by the Principle of Least Privilege -- the idea that access
    29  should be limited to the minimal set that is feasible and practical. We intend
    30  to apply this to software development to ensure that code can be scoped to the
    31  minimal set of capabilities that are required to perform its intended purpose.
    32  
    33  To learn more about the capabilities in your dependencies, install Capslock
    34  
    35  ``` shell
    36  go install github.com/google/capslock/cmd/capslock@latest
    37  ```
    38  
    39  You can then invoke Capslock by running `capslock` from the path of the packages you want to analyze.
    40  
    41  ## Caveats
    42  
    43  See the [caveats](docs/caveats.md) file.
    44  
    45  ## Contributing
    46  
    47  See the [contributing](CONTRIBUTING.md) file.
    48  
    49  ## Star History
    50  
    51  [![Star History Chart](https://api.star-history.com/svg?repos=google/capslock&type=Date)](https://star-history.com/#google/capslock&Date)