ShadowAudit is a supply chain security scanner for npm and PyPI projects. It combines CVE checks, maintainer-risk heuristics, typosquat detection, AI-assisted package review, a dependency graph, a web dashboard, and a terminal CLI.
- Backend: FastAPI, Python 3.11, Supabase
- Frontend: Next.js 14, TypeScript, Tailwind CSS, shadcn/ui, D3
- CLI: Node.js, TypeScript
- Manifest parsing for
package.jsonandrequirements.txt - Dependency tree resolution with package metadata
- Vulnerability scanning through OSV
- Maintainer change detection for npm and PyPI packages
- Typosquat detection against popular package lists
- AI behavior analysis for higher-risk packages
- Dashboard, scan history, and interactive dependency graph
- CLI access for terminal-based scans
backend/ FastAPI API, scanners, tests, database layer
frontend/ Next.js app, dashboard, results UI, graph
cli/ Terminal scanner
backend/.env.examplefrontend/.env.example
Create local .env files from those examples before running or deploying the app. Do not commit real secrets.
Reference:
MIT