Heisenberg: Secure Your Open-Source Software Supply Chain
▼ Summary
– Heisenberg is an open-source tool that analyzes software dependencies using SBOMs and external data to measure package health and detect supply chain risks.
– It goes beyond traditional SCA tools by identifying suspicious packages based on age, maintenance, and deprecation status, not just known vulnerabilities.
– The tool includes four CLI modes: SBOM generation, package checking, bulk scanning, and fast analysis to find packages across projects.
– Heisenberg helps catch hidden risks like typosquatting by flagging packages with low health scores, questionable provenance, or non-existent dependents immediately.
– Future developments include support for more package managers, Docker deployment, Policy-as-Code integration, and AI-enhanced risk detection for improved health scoring.
Heisenberg offers a practical solution for securing the open-source software supply chain by transforming static Software Bills of Materials into dynamic, actionable defense tools. This open-source utility evaluates dependency health by pulling data from deps.dev, SBOMs, and security advisories, delivering risk assessments and detailed reports for individual packages or entire codebases.
Max Feldman, Head of Application Security at AppOmni, explained the motivation behind its development. The team sought a method to intercept and block hazardous changes before they could reach the main branch. A significant shift occurred when they began treating SBOMs not as bureaucratic documents but as live data sources for immediate action. They engineered an automated, lightweight check that scrutinizes every pull request. Whenever a new dependency appears, shows poor health, gets flagged by an advisory, or lacks a trustworthy history, Heisenberg alerts developers directly within the PR interface. This approach provides rapid answers during emerging security campaigns, turning what used to be days of manual investigation into a process that takes just minutes.
Moving beyond conventional software composition analysis
While standard SCA tools primarily highlight known vulnerabilities with assigned CVEs, Heisenberg digs deeper. It identifies suspicious packages by examining their age, maintenance activity, and deprecation status. This proactive stance helps teams uncover threats like potential malware in npm packages before public disclosure. The tool can post comments directly on pull requests to prevent the merging of risky code, or it can be utilized later to determine if a dangerous package has already been integrated into a project. Designed to be lightweight and non-disruptive, Heisenberg effectively converts SBOMs into a functional line of defense, enabling early detection of supply chain threats without impeding development velocity.
Uncovering concealed dangers
Yevhen Grinman, Lead Security Engineer at AppOmni, illustrated a less obvious risk scenario. Consider typosquatting, where an attacker uploads a package with a name very similar to a legitimate one on repositories like PyPI or npm. A simple typo by a developer could introduce this malicious package into the supply chain. Traditional SCA might only catch this later if the package gets officially flagged for a vulnerability, allowing it to potentially reside in the codebase and cause harm over time. Heisenberg, however, flags such packages immediately because a typosquatted package typically exhibits a low or unknown health score, questionable provenance, and no dependents. This is just one instance where Heisenberg provides instant visibility compared to retrospective detection by conventional tools.
Four command-line modes for varied scenarios
Grinman explained that Heisenberg operates through four core CLI modes, each addressing a distinct aspect of software supply chain security.
SBOM Mode generates simplified, per-repository software bills of materials. Its minimal design makes it easy to parse, compare, and automate, forming the foundation for other modes and serving as a critical reference during security investigations.
Future Developments
The Heisenberg team is expanding the tool’s capabilities with new integrations and broader support. Upcoming releases will include compatibility with more package managers and improved control over feedback mechanisms. Currently, developers can mute specific alerts by commenting on pull requests. Soon, organizations will be able to maintain allow-lists for internal packages, those that lack public metadata and are often flagged unnecessarily. As Grinman noted, the goal is to let engineers filter out noise and focus on genuine risks.
Deployment and integration remain central priorities. Plans are underway to Dockerize Heisenberg for simpler setup and integration within CI/CD pipelines. The team is also introducing Policy-as-Code functionality, allowing security teams to define and enforce risk thresholds programmatically.
AI-assisted analysis is another frontier. Many risk indicators, commit patterns, documentation quality, or contributor activity, require subjective evaluation. By applying AI, Heisenberg could interpret these signals more consistently, refining its Custom Health Score. The developers are also exploring ways to detect new supply chain risks linked to machine learning, including threats related to MCP servers and open-source model dependencies.
Heisenberg is available as an open-source project on GitHub.
(Source: HelpNet Security)
