.packj.yaml

#
# Pro account for premium features
#
# XXX use 'auth' subcommand to activate. See '--help' for details.)
#
account:
  creds_file: ~/.packj.creds
  base_url: https://packj.dev
  endpoints:
    auth: /oauth/authorize
    session: /api/v1/cli_sessions
    token: /oauth/token
    redirect: /oauth/code/callback
    audit: /api/v1/audit

#
# Tokens for third-party APIs
#
tokens:
  github:

#
# Audit policies
#
audit:
  alerts:
    #
    # category: malicious packages (publicly known and unknown)
    #
    malicious:
      backdoor:
        - reason: package installs a backdoor
        - enabled: true
      typo-squatting or repo-jacking package:
        - reason: package impersonates another popular package to propagate malware
        - enabled: true
      cryptominer:
        - reason: package is a cryptominer
        - enabled: true

    #
    # alert category: suspicious packages (potentially malicious)
    #
    suspicious:
      inconsistent with repo source:
        - reason: package code differs from public repo source code, indicating malicious intention
        - enabled: true
      overwrites system binaries:
        - reason: overwriting system binaries such as /bin/ls suggests malware persistence
        - enabled: true
      risky API sequence:
        - reason: package code uses risky API sequence such as decode() followed by exec() or eval()
        - enabled: true
      anomalous dependency version:
        - reason: a anomalously high dependency version could indicate confusion attack
        - enabled: true

    #
    # alert category: packages vulnerable to code exploits
    #
    vulnerable:
      contains known vulnerabilities:
        - reason: known vulnerabilities (CVEs) in package code could be exploited
        - enabled: true
          #- threshold: 7
      insecure network communication:
        - reason: package code uses insecure network communication (not https)
        - enabled: true

    #
    # packages with undesirable or "risky" attributes
    #
    undesirable:
      package is old or abandoned:
        - reason: old or abandoned packages receive no security updates and are risky
        - enabled: true

      invalid or no author email:
        - reason: a package with no or invalid author email suggests 2FA not enabled
        - enabled: true

      invalid or no homepage:
        - reason: a package with no or invalid homepage may not be preferable
        - enabled: false

      no source repo:
        - reason: lack of public source repo may suggest malicious intention
        - enabled: true

      fewer downloads:
        - reason: a package with few downloads may not be preferable
        - threshold: 1000
        - enabled: true

      no or insufficient readme:
        - reason: a package with no or insufficient documentation may not be preferable
        - enabled: true

      fewer versions or releases:
        - reason: few versions suggest unstable or inactive project
        - threshold: 5
        - enabled: true

      too many dependencies:
        - reason: too many dependencies increase attack surface
        - threshold: 50
        - enabled: true

      immature dependencies:
        - reason: a high maturity package depends upon a low maturity package
        - enabled: false

      version release after a long gap:
        - reason: a release after a long time may indicate account hijacking
        - threshold: 180
        - enabled: true

      high release-yank ratio:
        - reason: a high number of release(s) or version(s) were yanked due to bugs or security issues
        - threshold: 50
        - enabled: false

      contains custom installation hooks:
        - reason: custom installation hooks may download or execute malicious code
        - enabled: true

      contains executables or other binaries:
        - reason: binary blobs cannot be analyzed accurately and are used to hide malware
        - enabled: true

      noisy package:
        - reason: package is a typo-guard, placeholder, dummy, empty, or troll package
        - enabled: true

      contains dev warning:
        - reason: package contains a warning from the developer
        - enabled: true

      #
      # type: repo stats
      #
      few source repo stars:
        - reason: a package with few repo stars may not be preferable
        - threshold: 50
        - enabled: false

      few source repo forks:
        - reason: a package with few repo forks may not be preferable
        - threshold: 5
        - enabled: false

      forked source repo:
        - reason: a forked copy of a popular package may contain malicious code
        - enabled: true

      #
      # type: APIs and permissions
      #
      generates new code:
        - reason: package generates new code at runtime, which could be malicious
        - enabled: true
        - threshold: new
      forks or exits OS processes:
        - reason: package spawns new operating system processes, which could be malicious
        - enabled: true
        - threshold: new
      accesses obfuscated (hidden) code:
        - enabled: true
        - threshold: new
      accesses environment variables:
        - enabled: true
        - threshold: new
      changes system/environment variables:
        - enabled: true
        - threshold: new
      accesses files and dirs:
        - enabled: true
        - threshold: new
      communicates with external network:
        - enabled: true
        - threshold: new
      reads user input:
        - enabled: true
        - threshold: new

#
# Sandboxing policies
#
sandbox:
  rules:
    #
    # File system (allow or block accesses to file/dirs)
    #
    #   ~/ represents home dir
    #   . represents cwd dir
    #
    # NOTE: only ONE 'allow' and 'block' lines are allowed
    #
    fs:
      # TODO: customize as per your threat model

      # block access to home dir and all other locations (except the ones below)
      block: ~/, /
      allow: ., ~/.cache, ~/.npm, ~/.local, ~/.ruby, /tmp, /proc, /etc, /var, /bin, /usr/include, /usr/local, /usr/bin, /usr/lib, /usr/share, /lib

    #
    # Network (allow or block domains/ports)
    #
    # NOTE: only ONE 'allow' and 'block' lines are allowed
    #
    network:

      # TODO: customize as per your threat model

      # block all external network communication (except the ones below)
      block: 0.0.0.0

      # For installing PyPI, Rubygems, and NPM packages
      allow: pythonhosted.org:443, pypi.org:443, rubygems.org:443, npmjs.org:0, npmjs.com:0