github.com/google/capslock@v0.2.3-0.20240517042941-dac19fc347c0/README.md (about) 1 ![capslock](docs/capslock-banner.png) 2 3 Capslock is a capability analysis CLI for Go packages that informs users of 4 which privileged operations a given package can access. This works by 5 classifying the **capabilities** of Go packages by following transitive calls to privileged 6 standard library operations. 7 8 The recent increase in supply chain attacks targeting open source software 9 has highlighted that third party dependencies should not be inherently trusted. 10 Capabilities indicate what permissions a package has access to, and can be used 11 in conjunction with other security signals to indicate which code requires 12 additional scrutiny before it can be considered trusted. 13 14 ## What are capabilities? 15 16 Current security analysis focuses a lot on identifying vulnerabilities in 17 packages -- an important goal given the rate of new CVEs being identified. 18 To complement this analysis, we are alerting on the capabilities of packages, 19 meaning that we are identifying what permissions the package has access to via 20 its transitive dependencies on standard library functions with privileged 21 accesses. 22 23 This has many potential applications, from identifying the purpose of packages 24 by looking at what capabilities they use, to directing security reviews to more 25 privileged code paths, and even alerting on unexpected capability changes to 26 stop potential supply chain threats before they can become an issue. 27 28 This is motivated by the Principle of Least Privilege -- the idea that access 29 should be limited to the minimal set that is feasible and practical. We intend 30 to apply this to software development to ensure that code can be scoped to the 31 minimal set of capabilities that are required to perform its intended purpose. 32 33 To learn more about the capabilities in your dependencies, install Capslock 34 35 ``` shell 36 go install github.com/google/capslock/cmd/capslock@latest 37 ``` 38 39 You can then invoke Capslock by running `capslock` from the path of the packages you want to analyze. 40 41 ## Caveats 42 43 See the [caveats](docs/caveats.md) file. 44 45 ## Contributing 46 47 See the [contributing](CONTRIBUTING.md) file. 48 49 ## Star History 50 51 [![Star History Chart](https://api.star-history.com/svg?repos=google/capslock&type=Date)](https://star-history.com/#google/capslock&Date)