Skip to content

HacktronAI/cull

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.github/workflows
.github/workflows
 
 
cull
cull
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
cull.py
cull.py
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

cull

Find compromised npm packages across your infrastructure. Only Python stdlib, no dependencies.

Install

git clone https://github.com/HacktronAI/cull.git
cd cull
python3 -m pip install .

We deliberately do not publish to PyPI to avoid creating another supply-chain distribution point for a security tool. Install from a reviewed git clone instead.

Usage

cull axios@1.14.1 axios@0.30.4 plain-crypto-js

Checks lock files (pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock), node_modules, GitHub code search, and Docker image layers (legacy + OCI). Version-aware — distinguishes compromised versions from safe pins. Exit code 0 when clean, 1 when a compromised package is found, and 2 when the scan could not complete reliably.

Scan targets

Local directories

cull axios@1.14.1 --dirs ~/projects/app1 ~/projects/app2

Default: current directory.

GitHub

export GITHUB_TOKEN=ghp_...
cull axios@1.14.1 --github-org myorg

Searches lock files via code search API. Token can also be passed via --github-token.

Creating a PATgithub.com/settings/tokens: classic → repo scope, fine-grained → set resource owner to your org, grant Contents: Read-only.

Docker images

cull axios@1.14.1 --docker            # all local images
cull axios@1.14.1 --images app:latest # specific images

Requires docker CLI. Remote images are auto-pulled; use --no-pull to skip.

Google Cloud

cull axios@1.14.1 --gar-repo us-central1-docker.pkg.dev/proj/repo  # Artifact Registry
cull axios@1.14.1 --gcr-project my-project                         # Container Registry (legacy)

Requires gcloud CLI with gcloud auth login and gcloud auth configure-docker REGION-docker.pkg.dev.

Requirements

Python 3.9+. Optional CLIs: docker, gcloud. If you request a scan target whose CLI is missing or whose backend calls fail, cull reports an error and exits non-zero instead of silently treating that target as clean.

Security

We intentionally do not publish this to PyPI. The goal is to avoid creating another supply-chain distribution point for a security tool. Install from a reviewed git clone instead.

Stdlib only — nothing else to supply-chain. External CLIs invoked only when their flags are used. Images are exported via docker save / docker pull — never docker run.

Contributing

PRs welcome — GitLab, Bitbucket, AWS ECR, and Azure ACR are natural next targets.

About

cull the compromised

Resources

Readme
Activity
Custom properties

Stars

19 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages