While these packages are supposed to be thoroughly vetted before being included in a program, but this is certainly not feasible in practice due to the sheer number of dependency code needing review and the lack of existing tools to help with dependency code vetting.
Now, GitLab's Package Hunter is perhaps an important addition that could help in securing every software package, as threat actors are increasingly using public package registries as a distribution channel for their malicious code.
How GitLab’s Package Hunter Will Detect Malicious Code?
Package Hunter analyzes a program's dependencies for malicious code, with suspicious system calls reported to the developer for further examination.
It integrates seamlessly with GitLab and Package Hunter has been in use internally to test GitLab's dependencies since November 2020; currently, it supports testing NodeJS modules and Ruby Gems. The aim is to enable other projects to easily detect malicious code in their dependencies before any harm could be caused, which increases users' confidence in open source supply chains.
And it makes it possible for developers to quickly build apps, as this facilitates the reuse of code to achieve the task faster, with the “trust” that the dependencies doesn't need separate review.
How to get started with GitLab's Package Hunter?
Package Hunter is currently available as a free and open-source project on GitLab, and if you wish to get started, use the GitLab CI template to add a job to your project and follow the instructions for setting up a Package Hunter server.
Kindly note that Package Hunter currently supports testing of NodeJS modules and Ruby Gems, you can refer to the official documentations for more technical details.