Setup PyPI Proxy with DevGuard Dependency Proxy
PyPI is one of the most actively abused package registries for supply chain attacks. The 2022 PyTorch supply chain attack saw attackers publish a malicious torchtriton package on PyPI that exfiltrated sensitive data from machines where PyTorch nightly builds were installed — a package that was installed automatically as a dependency. Thousands of similar attacks have followed, exploiting the fact that pip install executes code on download by default.
The DevGuard dependency proxy sits between your Python tooling and the upstream PyPI registry, checking every package against the OSV dataset before it reaches your environment.
- Registry URL:
<your-devguard-url>/api/v1/dependency-proxy/pypi/simple
Configuration
Using a configuration file
Create or edit pip.conf (Linux/macOS: ~/.config/pip/pip.conf, Windows: %APPDATA%\pip\pip.ini) to permanently redirect all pip installs through DevGuard:
Using environment variables
For CI/CD pipelines or ephemeral environments, set the proxy via environment variables instead:
Testing
DevGuard ships a test package that is permanently flagged as malicious:
If the install is blocked, the proxy is working correctly. All other packages in the same environment will resolve normally from the upstream PyPI registry.