OSS Supply Chain Risk Report - PyPI, npm, OSV and Docker Hub

Audit Python packages, npm packages, Docker images, lockfiles, SBOMs, and Dockerfiles for vulnerability, maintenance, freshness, popularity, and metadata risk signals.

Use this Actor as an SBOM vulnerability API, Docker image risk checker, PyPI vulnerability report, npm package-lock vulnerability API, and open-source supply-chain risk dataset for security and procurement review.

Inspired by Printing Press nvd, pypi, and docker-hub: public package metadata, vulnerability signals, lockfile/SBOM inputs, and container freshness.

Use cases

• Check requirements.txt and pinned PyPI versions before vendor security review.
• Extract npm package-lock dependencies and identify vulnerable package versions through OSV data.
• Parse Dockerfile FROM images and audit Docker Hub freshness and metadata.
• Turn CycloneDX or SPDX-like SBOM package URLs into structured risk rows.
• Create dependency triage datasets for procurement, security questionnaires, and due-diligence workflows.

Search-friendly workflows

• SBOM vulnerability API for Apify users.
• Docker image risk checker for vendor review.
• PyPI and npm dependency risk report for security teams.
• Open-source package due-diligence workflow for procurement.

Related suite

This Actor is part of the Security Risk Intelligence Suite:

• OSS Supply Chain Risk Report for package, lockfile, SBOM, and Docker image risk.
• SEC Red Flag Monitor for public-company filing risk.
• Startup Funding Signal Report for startup funding and traction signals.

Use the three together to build repeatable due-diligence, procurement, and security-review workflows from public data.

Public examples and tutorials: https://github.com/shamusj-create/security-risk-intelligence-apify

Flagship workflow tutorial: https://github.com/shamusj-create/security-risk-intelligence-apify/blob/main/docs/vendor-risk-automation-with-apify.md

Suite positioning: see ../docs/suites/SECURITY_RISK_INTELLIGENCE_SUITE.md.

Pricing

Recommended pay-per-event pricing:

• Event: oss-risk-report
• Price: $1.25
• Unit: one bounded oss risk report

The Actor charges before making public-data requests so Apify spending limits can stop work cleanly.

Demo input

{
    "pypiPackages": [
        "requests",
        "django"
    ],
    "pypiPackageVersions": [
        "requests==2.31.0"
    ],
    "requirementsText": "",
    "dockerImages": [
        "library/redis",
        "nginx"
    ],
    "dockerfileText": "",
    "packageLockJson": {},
    "sbomJson": {},
    "includeNvdKeywordSearch": true,
    "nvdLookbackDays": 365,
    "concurrency": 1
}

What you get back

Each dataset row includes package, lockfile, SBOM, or Docker image status, score, confidence, summary, recommendations, vulnerability and freshness highlights, disambiguation details, metrics, source payloads, and timestamp.

This Actor uses public/read-only data sources. SEC-backed requests require secContactEmail and include it in the SEC fair-access User-Agent. The included research@example.com smoke-test default is only for local examples; use a real contact email for production runs.