code.mil icon indicating copy to clipboard operation
code.mil copied to clipboard
verified publisher icon Code-dot-mil

Where can I find DoD approved Python library repo?

Open dpiper2126 opened this issue 4 years ago • 1 comments

To Whom It may concern,

I work in the Dept of Navy. I have been tasked by my leadership to get information and guidance on DoD policy and resources for using open source software libraries. Especially Python libraries. Most developers go to PyPI.org (Python package index) to download, install and run Python libraries. It is the reality that PyPI.org contributors have found malware in approved python open source libraries.

Here is PyPI.org’s policy and stance: “PyPI has a procedure for reporting security concerns. If someone reports a malicious package or a problem within PyPI it is addressed, but packages added to PyPI do not undergo review—this would be an unrealistic expectation of the volunteers who maintain PyPI. Therefore it is wise to assume that there are malicious packages within PyPI and behave accordingly. Reasonable steps include doing a bit of research on the package you want to install and ensuring that you carefully spell out the package name (a package named for a common misspelling of a popular package could execute malicious code).”

My main question(s).

  1. Does the DoD maintain a repository of approved Python libraries?
  2. If not, what is the DoD’s policy for developers to download and install open source packages on the internet on to their Govt machines?
  3. Does the DoD recommend any software vulnerability scanners that can be installed on Govt machines for developers to scan for vulnerabilities of the open source libraries they are using? Any help, guidance and resources would be greatly appreciated?

dpiper2126 avatar Aug 02 '21 15:08 dpiper2126

Hey, good question, this comes up a lot and it’s great you’re thinking about it.

There’s no central DoD-wide “approved list” of Python packages. Most teams handle this by isolating their environments and using internal mirrors or artifact registries where they can vet and pin dependencies. Downloading directly from PyPI on a Gov system ( especially production or anything on SIPR ) is a no-go in most cases. But in dev environments, it’s pretty common (and expected, most software does) to use open source libraries, just with care.

To stay safe, most teams do a mix of:

  • Using tools like Grype, Anchore, or JFrog Xray to scan dependencies
  • Pinning versions with requirements.txt or pip-tools
  • Preferring well-known packages with active GitHub repos
  • Avoiding typosquatting or sketchy-looking libraries (but this happens to the best of, so why it should be siloed)
  • Setting up internal mirrors or repos (e.g. Artifactory, Nexus) for repeatable builds

Short story, PyPI is fine to use; you just don’t want to trust anything blindly, search it up a bit. If you're working in a siloed dev container or VM, that's already a big step in the right direction. The key is knowing what you're pulling in and scanning for known issues before anything touches prod.

(late response but leaving this here for the next person)

benmcnelly avatar May 16 '25 10:05 benmcnelly