secpipw: the Best and Easiest Way to Avoid PyPI Supply-Chain Attacks.

$

No learning,

No configurating,

No behaviour changes,

Imperceptible performance cost,

Install secpipw, add pip alias to spip, then enjoy it as the original pip,

but much more safer.

This project is currently in pre-release and should not be used in production.

Contributions are very welcome. GitHub

Why secpipw?

What problem does it solve?

Supply-chain poisoning has always been a persistent security problem. Existing solutions include mature but expensive-to-run tools like GuardDog, and lightweight tools like sfw that rely entirely on a paid Socket API. GuardDog is too heavy for everyday CI usage and is better suited to static analysis by security researchers. Running GuardDog against every artifact downloaded by pip install, including all dependencies, would slow installs down. sfw is lighter, but its dependence on a paid API creates another cost for everyday developers.

secpipw solves this by hooking into pip's installer and merging security checks directly into the pip install download and installation flow. The latest GitHub Actions benchmark compares the full download and install flow for default spip install against pip install across multiple target packages. The primary median is x-- of pip time. secpipw is completely free for everyone.

Today, many independent developers have suffered CI server compromises that leak secret keys and cause serious damage. With secpipw installed, that risk is greatly reduced, while requiring no payment, no extra performance budget, and no learning or configuration. Install it once with pip install secpipw, set an alias once, and keep using pip while gaining an important protection layer in the background.

secpipw advantages

  • Lightweight. You should not feel it running.
  • Zero migration or learning cost. No configuration is required; it works out of the box.
  • Free. secpipw is open source under the MIT license. Anyone can use, modify, and redistribute it.
  • Powerful. Tests show that it can defend against well-known attack cases such as LiteLLM and colorama.
  • Diverse package manager support. Guard pip plus common pipx, poetry, and uv package-add workflows.

diverse package manager support.

secpipw is no longer limited to direct pip usage. It can guard the common package-add flows developers already use, then hand the actual environment update back to the original tool.

Read the package manager guide

spip install requests

Guarded install flow using pip's own resolver and installer.

spipx install black

Guarded install, inject, and run preflights.

spoetry add requests

Guarded add and self add preflights.

suv pip install requests

Guarded pip install, add, and tool preflights.

benchmark results.

The latest GitHub Actions benchmark compares default spip install with pip install for opencv-python, scipy, and uv using a local wheelhouse.

Package pip median spip median Ratio Median overhead
opencv-python -- -- x-- --
scipy -- -- x-- --
uv -- -- x-- --

Runs: --. Updated: --. Open GitHub Actions benchmark job.

Let's install.

Install secpipw, then use the spip command. Best to alias pip to spip to keep your usual workflow.

Command Prompt (Windows)

pip install secpipw
doskey pip=spip $*

Bash (Linux)

pip install secpipw
echo "alias pip='spip'" >> ~/.bashrc
source ~/.bashrc

Zsh (macOS)

pip install secpipw
echo "alias pip='spip'" >> ~/.zshrc
source ~/.zshrc

That's it.

Now you are much more safer when you type pip install :)

Read our docs

GitHub