Package Inspector
Package Inspector is a utility provided by Checkmarx for analyzing packages in the cloud before downloading them onto your PC. This enables you to verify the package integrity in order to prevent supply chain attacks, which are caused by accidentally downloading malicious software.
When you submit a package for analysis, Checkmarx runs the package in a container and monitors the network activity, file systems, and program execution. Once the analysis is completed, Package Inspector shows detailed results both for installation and for runtime.
Note
Package Inspector currently supports only npm packages.
To test a package in Package Inspector:
Go to http://sandbox.sca.checkmarx.net.
The Package Inspector portal opens.
In the input field, enter the name of the package that you would like to analyze. You can specify a specific version using the @ sign, e.g., [email protected]
Click Analyze.
Viewing Package Inspector Results
The header bar shows general info about the package. It also shows a package integrity score, which measures the overall integrity of the package based on data such as number of contributors, frequent updates etc.
Below that the package activity is shown in three sections:
Network - shows all network activity initiated by the package.
File System - shows all of the files accessed by the package.
Program Execution - shows the command executions and programs run by the package.
In each section, results are shown separately for Installation and Runtime activity.
Note
Currently Package Inspector shows all of the raw data, enabling users to identify what they consider to be malicious activity. In the future, Checkmarx plans to flag suspicious activity in order to call the user’s attention to important results.