Documentation

Intro

secpipw is a lightweight wrapper around pip. It keeps normal pip behavior, but adds supply-chain checks around pip install.

Overview

secpipw is designed for the everyday Python install path. Commands other than install are forwarded to python -m pip. For the spip install entrypoint, pip still resolves, downloads, builds, and installs packages; secpipw inserts lightweight checks at key points in that flow.

Install

Install secpipw, then alias pip to spip to keep your normal workflow.

Command Prompt (Windows)

pip install secpipw
doskey pip=spip $*

pip install secpipw
doskey pip=spip $*

Bash (Linux)

pip install secpipw
echo "alias pip='spip'" >> ~/.bashrc
source ~/.bashrc

pip install secpipw
echo "alias pip='spip'" >> ~/.bashrc
source ~/.bashrc

Zsh (macOS)

pip install secpipw
echo "alias pip='spip'" >> ~/.zshrc
source ~/.zshrc

pip install secpipw
echo "alias pip='spip'" >> ~/.zshrc
source ~/.zshrc

After installment by the aforementioned command, you can run pip install --spip-status to see the current status of the installed packages. If your installment is successful, you will see a message spip {VERSION} guard enabled..

Warning mechanism

Every risk found by secpipw is assigned one of three severities. Under the default low sensitivity, HIGH warnings pause installation, MEDIUM warnings ask for interactive confirmation, and LOW warnings are printed while installation continues.

HIGH

Installation pauses. Rerun with --spip-ignore-warning only after review.

MEDIUM

Interactive terminals ask for y/n confirmation. Non-interactive runs pause.

LOW

The warning is shown and installation continues at the default sensitivity.

You can make the gate stricter with the --sensitivity parameter. You can also completely suppress a severity and below with --spip-ignore <level>.

Workflow

The recommended workflow is simple: keep typing the same package install commands, but route them through secpipw so the guarded install path can inspect the resolved plan and prepared artifacts.

See the dedicated Checks reference for the full list of warning rules and severity levels.

For local install paths such as pip install ., file-based installs, or offline installs using --no-index or --find-links, secpipw disables registry metadata requests. In those cases it stays focused on local checks such as direct-install detection and .pth inspection rather than trying to query package metadata from a registry.

This only disables remote metadata lookups. The local install path is still checked for direct references, prepared artifact content, and post-install .pth changes.

Continue with the package manager guide to see how pipx, poetry, and uv routes start and where secpipw consumes its own options.

Read package managers