Open source supply chain security platform. CLI for developers. Server mode for teams. Self-hostable. Free.
Software supply chain attacks are now the primary vector for breaching large organizations. Existing tools catch CVEs, but the most dangerous attacks never appear in any CVE database. LibAccess combines CVE scanning, behavioral analysis, maintainer risk monitoring, tarball verification, and dynamic sandboxing in a single binary you can run anywhere.
In 2024, an attacker spent two years building trust in the XZ Utils project - submitting legitimate patches, helping with maintenance, gradually gaining commit access. Then they injected a backdoor. The backdoor existed only in the published release tarballs, not in the git source code.
CVSS 10.0. Targeting OpenSSH on systemd-based Linux. Would have shipped to hundreds of millions of systems.
It was caught by accident - an engineer noticed that SSH logins were taking 500ms longer than expected and traced it back to the xz library. Nobody's security scanner caught it. Not Snyk. Not Socket. Not Trivy. Not Grype.
What would have caught it: comparing the published tarball against the git source. Every file. Every byte.
LibAccess is the only open-source tool with tarball vs source verification built in. Run libaccess scan --deep and it downloads both the registry tarball and the git tag, diffs them, and flags any file that exists in the published package but not in the source - or that was silently modified between the two.
$ libaccess scan ./requirements.txt
LibAccess v1.1.0 - Supply Chain Security Scanner
Syncing vulnerability database... done (last sync: 2h ago)
Resolved dependencies... 127 packages (18 direct, 109 transitive)
Analyzing vulnerabilities...
Analyzing supply chain signals...
Analyzing maintainer changes...
Analyzing AST behavioral fingerprints...
+-- VULNERABILITIES -------------------------------------- 5 --+
| |
| * CRITICAL Pillow 8.3.1 -> Upgrade to 12.2.0 |
| 12 vulnerabilities - CVSS 9.8 - EPSS 0.93 - KEV |
| CVE-2023-4863, CVE-2024-28219, CVE-2023-44271 (+9 more) |
| Run: pip install 'Pillow>=12.2.0' |
| |
| * HIGH Werkzeug 0.15.4 -> Upgrade to 3.1.8 |
| 8 vulnerabilities - CVSS 9.8 - EPSS 0.90 |
| Run: pip install 'Werkzeug>=3.1.8' |
| |
| * MEDIUM requests 2.28.0 -> Upgrade to 2.32.4 |
| 2 vulnerabilities - CVSS 6.5 - EPSS 0.41 |
| Run: pip install 'requests>=2.32.4' |
| |
+---------------------------------------------------------------+
+-- SUPPLY CHAIN RISKS ----------------------------------- 1 --+
| |
| * MEDIUM colourama 0.4.4 Outdated version |
| Confidence 82% - project alive, pinned version is old |
| |
+---------------------------------------------------------------+
Analyzer confirmations:
* Malicious feed: 19 packages - 0 flagged - 254,084 known
* Supply chain: 19 packages checked - 1 flagged
Exposure Score: 74/100 - CRITICAL: 1 - HIGH: 3 - MEDIUM: 1
Score = (critical*15 + high*8 + medium*3 + low*1), capped at 100
Results saved to ~/.libaccess/results/scan-20260605-101530.json
Scan completed in 15.2s
macOS / Linux:
curl -fsSL https://raw.githubusercontent.com/KatrielMoses/LibAccess/main/install.sh | bashOn Linux, the installer writes PATH setup to ~/.bashrc or ~/.zshrc automatically. First-run database sync usually takes 1-5 minutes and is cached forever after.
Windows:
iwr -useb https://raw.githubusercontent.com/KatrielMoses/LibAccess/main/install.ps1 | iexGo install:
go install github.com/KatrielMoses/LibAccess/cmd/libaccess@latestBinaries for Linux, macOS, and Windows are also available on the releases page.
Scan a project:
libaccess scan ./requirements.txt
libaccess scan . # auto-detects all manifest files
libaccess scan . --compact # one line per finding
libaccess scan . --format sarif --output results.sarifDeep scan (tarball vs source verification):
libaccess scan . --deep # downloads and diffs registry tarballs against sourceGenerate a README badge:
libaccess badge . --output badge.svg
# Add to README: Warm CI caches:
libaccess cache warm # pre-downloads vulnerability databasesOrg-wide monitoring (server mode):
libaccess serve --database-url postgres://user:pass@localhost/libaccess
# Open http://localhost:8080 for the dashboardCI integration - GitHub Actions (zero config):
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: KatrielMoses/LibAccess@v1.1.0
with:
fail-on: HIGH # exits non-zero if any HIGH+ finding
upload-sarif: 'true' # posts results to GitHub Security tabCI integration - manual step:
- name: Install LibAccess
run: curl -fsSL https://raw.githubusercontent.com/KatrielMoses/LibAccess/main/install.sh | bash
- name: Warm LibAccess cache
run: libaccess cache warm
- name: Supply chain scan
run: libaccess scan . --format sarif --output libaccess.sarif --fail-on HIGH
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: libaccess.sarif| Feature | LibAccess | Snyk | Socket | Trivy/Grype |
|---|---|---|---|---|
| CVE/vulnerability scanning | Yes | Yes | Yes | Yes |
| Grouped vulnerability output | Yes | Partial | Partial | Partial |
| EPSS + CISA KEV prioritization | Yes | Partial | Partial | Partial |
| Stable finding IDs | Yes | Yes | Partial | Partial |
| Typosquatting detection | Yes | No | Yes | No |
| Dependency confusion detection | Yes | Partial | Yes | No |
| Slopsquatting (AI hallucination packages) | Yes | No | No | No |
| Abandoned vs outdated version labeling | Yes | Partial | Partial | No |
| Static behavioral analysis (AST) | Yes | No | Yes | No |
| Capability version delta | Yes | No | No | No |
| Dynamic sandbox analysis | Yes | No | No | No |
| Tarball vs source verification | Yes | No | No | No |
| Maintainer risk monitoring | Yes | No | Partial | No |
| Threat actor clustering | Yes | No | No | No |
| CI/CD dependency SBOM | Yes | No | No | No |
| Attack simulation mode | Yes | No | No | No |
| Badge command | Yes | No | No | No |
| Cache warm command | Yes | No | No | No |
| VEX support | Yes | Partial | No | Yes |
| License compliance | Yes | Yes | No | Yes |
| SARIF output | Yes | Yes | No | Yes |
| CycloneDX/SPDX output | Yes | Yes | No | Yes |
| Self-hostable | Yes | No | No | Yes |
| Open source (auditable) | Yes | No | No | Yes |
| Free, all features | Yes | Partial | Partial | Yes |
| Offline mode | Yes | No | No | Yes |
| Ecosystem | Manifest Files | Vulnerability Source |
|---|---|---|
| npm | package.json, package-lock.json (v1/v2/v3), yarn.lock |
OSV.dev, GHSA, NVD |
| PyPI | requirements.txt, pyproject.toml, Pipfile.lock, setup.cfg |
OSV.dev, GHSA, NVD |
| Cargo (Rust) | Cargo.toml, Cargo.lock |
RustSec, OSV.dev |
| Go Modules | go.mod, go.sum |
OSV.dev, govulncheck DB |
| Maven (Java) | pom.xml, build.gradle |
OSV.dev, GHSA, NVD |
| RubyGems | Gemfile, Gemfile.lock |
OSV.dev, bundler-audit |
| NuGet (.NET) | *.csproj, packages.lock.json |
OSV.dev, GHSA |
| GitHub Actions (CI/CD) | .github/workflows/*.yml |
Known action vulnerabilities, policy checks |
- Grouped findings by package, with CVSS, EPSS, KEV, CVE rollups, and install commands.
- Stable
LA-finding IDs for consistent triage across runs. --compactoutput for readable issue comments and screenshots.--timeoutand--no-savefor bounded CI behavior.cache warmfor fast repeat scans after a cold setup step.- Shields.io-compatible
badgegeneration from fresh or cached results. - JSON output that stays clean by default when
--format jsonis used.
- Getting Started - install, first scan, CI integration
- CLI Reference - all commands and flags
- API Reference - REST API for server mode
- Deployment Guide - Docker, bare metal, Kubernetes
- Configuration - all config options
- Analyzers - how each detection engine works
- Contributing - how to contribute
- Security - reporting vulnerabilities
Apache 2.0 - see LICENSE