Unfortunately, there hasn't been a release since 2021, Similarly no commits to the branches master, or dev in the past ~14 months.

Hello, author of Aura here. The project is in fact active! But in a different branch called "ambience". Which is a very big refactor into transforming Aura (which is now designed to be run locally as tui) into server/web application. It would allow to automatically monitor and audit all used python packages in an organization by using an http reverse proxy to intercept python package installations. It's taking me currently long time to finish that big refactor as I am currently the only active developer there so apologies if the project seems to be abandoned, I'm just hesitating to merge the changes from ambience branch into main (which is what people see) as the new refactor is not stable yet as compared to master & dev as that was tested and tuned on the whole PyPI.

Very early alpha version is available here: https://ambience.sourcecode.ai if someone is interested in checking it out.

Could aura scan packages at the pulp pypi proxy? https://github.com/pulp

I haven't used pulp so I am not sure but yes in theory. Several schemes are currently supported via URIs (pypi://, git://, http(s):// etc...) so if the destination to scan can be formatted as one of the already supported URI schemes then you can already scan it. URI providers are also using plugin architecture so adding a new one for better integration with pulp (such as autodiscovering packages) should be trivial. Thank you for the suggestion, the pulp project looks interesting and I would definitely check it out!

Gitea can also (scan and build and test and) host python packages [1], conda packages [2], container images, etc.

[1] https://docs.gitea.io/en-us/usage/packages/pypi/

[2] https://docs.gitea.io/en-us/usage/packages/conda/

https:// URLs probably already solve for scanning Python packages hosted by Gitea and/or Pulp with Aura.

From https://news.ycombinator.com/item?id=33563857 :

> Additional lists of static analysis, dynamic analysis, SAST, DAST, and other source code analysis tools: https://news.ycombinator.com/item?id=24511280 https://analysis-tools.dev/tools?languages=python

Will a command-line tool still be provided too?

Yes, command line version will be always available, this is just an additional mode built on top of it, it's using in fact the same API interface as CLI version to spawn scans and parses out the JSON output format into persistent DB with some postprocessing to be more suitable for web app.

Are you using SARIF for the JSON output? It is a standard for static analysis tool output.

https://sarifweb.azurewebsites.net/

SARIF is implemented as a separate output format and is supported. the "json" one contains more information such as taint traces (even unconfirmed ones that haven't reached sinks), anomaly tags, static behaviour etc... main json format is intended to capture as much data as possible so it can be analyzed later as the original intention is to hunt for malware, anomalies and doing research in general on top of the whole PyPI repository. I found SARIF to be more "practical" or actionable in terms of what needs to be done in fixing the source code or vulnerabilities found vs research oriented such as "this piece of code is doing network communication". Due to this differences it was added as a separate format which is a subset and reformatted (to the SARIF standard) "json" output format

Great approach, thanks for that.

I second this question. While server versions are nice, I need command line, local-only versions to use for my code review as I can’t pass code and dependencies to third parties.

very helpful comment, you might want to add that to the readme or a pinned issue

Thank you for the suggestion, that is indeed a good idea. I will modify the README to include some explanation about the current status and why the main & dev branches may seem to be stale