Get started with Spectra Assure Community

ReversingLabs Spectra Assure Community is a free-to-use, no-registration-required platform where software developers, DevOps engineers, and IT security specialists can check the security statuses of widely distributed developer tools and software packages from the most popular communities (npm, PyPI, RubyGems, NuGet, and more to come).

It monitors the largest open source package repositories to identify malware, code tampering, and indicators of software supply chain attacks, and provides comprehensive risk analysis in the form of a report. The contents of those repositories are continually analyzed by ReversingLabs and the latest findings are immediately available on the Spectra Assure Community website.

To start using Spectra Assure Community, go to the official Community website, search for a package, and select it in the list of results to view its report.

View the Community report

The Spectra Assure Community report on each open source package provides a condensed overview of any potential risks detected during analysis.

Thanks to this format, users of all levels of experience and knowledge can understand which issues are cause for concern. This simplifies comparing multiple versions of the same open source package, and speeds up decisions on whether to use a particular package in a software project.

The package report is divided into:

Sidebar
Report content

Use the sidebar on the left-hand side of the report to navigate between different report sections. It is always visible, so you can access it from every part of the report.

The sidebar contains items in the following order:

Package name
Version dropdown - where you can choose a version of the package to view its report. For some communities (like PyPI), there is an additional dropdown, from which you can choose the package artifact
Report sections:
- Overview - key information about the package (such as publishing date and other metadata), analysis summary, popularity information and more, organized by category
- Issues - detected software quality issues with the number of affected components and violated policies
- Behaviors - software behaviors discovered with static code analysis
- Vulnerabilities - detected known vulnerabilities affecting the software package and the components it embeds
- Contributors - a historical list of all known contributors who worked on the software package
- Dependencies - direct dependencies declared by the software package through its manifest. The full list can be exported in the CycloneDX format
- Versions - a historical list of all previously published software package versions

For every report section, the sidebar shows the total number of detected items next to the section name.

Report content

Selecting any sidebar item opens a new section on the right-hand side of the screen.

Overview is the main report section, and it opens as the landing page when you select the package name in the search results.

Navigate the Overview section

The Overview report section shows the key risks in the analyzed software package and provides insight into its quality at a glance. The look and feel of the Overview section is quite similar to the SAFE report Summary page.

For every package on Spectra Assure Community, Overview contains the following:

Report header - includes the package metadata, its SAFE verdict, and, if applicable, links to its GitHub repository, page on the ecosystem it belongs to, its official homepage, and the following categories:
- Key project, if it's on the ReversingLabs list of key or most popular projects in its ecosystem
- Top 10/100/1k/10k, if it's on the list of top X packages based on the total number of downloads
SAFE Assessment - a summary of key risks or safety concerns found in your software, grouped according to their shared characteristics. Equivalent to the SAFE Assessment panel on the SAFE report summary page
Issues - the top 5 most severe issues detected in the package version
Behaviors - the top 5 most interesting behaviors detected in the package version
Vulnerabilities - total number of detected known vulnerabilities (CVEs) per severity
Package metadata cards - total number of downloads, maintainers, dependencies declared in the package manifest, and packages that depend on this package version (dependents)
Issues per version graph - a chart showing the number of issues per package version, including the trendline, to quickly understand how the number of issues increased or decreased with each published version
FAQ section - a summary of all information from the Overview page

Understand the SAFE verdict

The SAFE verdict is an indicator of package version safety determined by a variety of factors for packages in Spectra Assure Community. These factors include:

recorded incidents
ReversingLabs engine analysis results
package popularity

Before using an open source package, developers should consider other factors not included in the verdict to check how susceptible the package is to risks. These factors include the number of maintainers, package release history, handling of vulnerabilities, and more.

How is the final verdict determined?

If a sample is available on its official repository, it's processed with Spectra Core. In this case, its SAFE assessment also impacts its final verdict.

During analysis, Spectra Assure Community evaluates the whole range of versions expected by the declared dependencies and updates the verdict to capture all risks. This stems from the fact that some older issues or threats may be overlooked if the latest versions of dependencies, which usually contain fixes, are taken into account instead.

The table lists all possible verdict statuses for packages and the reasoning behind each.

Verdict	Description
pass	The verdict is `pass` for a package when: Spectra Core analysis has produced a `pass` status for the package that has just been published and belongs to the list of top 10k projects by popularity. The pass status indicates that no obvious risks have been found in the package. The package has been published more than 2 weeks ago and no obvious risks are found during analysis.
fail	The verdict is `fail` for a package when: Spectra Core analysis has produced a `fail` status. A package version has had any incidents recorded. These incidents include the presence of malware in a package or the removal of said package from the official repository. All detected incidents are ordered chronologically on the package summary page. They can be reported by someone from the `community` or an `RL researcher` after using manual triage. When policies automatically trigger during analysis, the incident is said to be reported automatically by RL engine (`RL (automated)`). A sample is not available for an old package because it has been removed from the official package repository; however, its existence has been confirmed by the metadata. Every repository handles these packages differently. For example, npm replaces the removed package with a placeholder version, also known as a security holding package.
warn	The verdict is `warn` when Spectra Core analysis has produced a `warning` status due to a warning on one of the SAFE assessment categories.
pending	The verdict is `pending` for a package when: A package has just been published and is being analyzed by Spectra Core. A package has been analyzed, but RL researchers need some time to check it manually. Additionally, it does not appear on the list of top 10,000 projects by popularity.

When you share the link to a Spectra Assure Community report on social media, the link preview is automatically generated.

All vital information on the package (its name, version, verdict, and SAFE Assessment) is shown in the link preview image. From the preview, everyone who receives the link can assess the software quality at a glance and quickly decide whether to use the package in their software product.

For example, sharing the link https://secure.software/pypi/packages/rl-deploy generates the following preview image:

Example link preview for the rl-deploy Python package

Create the Community badge

The Community badge is a small image that links to the Spectra Assure Community package report and precisely indicates package security health in real time. It offers a quick way to share important information about a package (name, version, verdict) and access its Spectra Assure Community report.

By generating the Community badge for their projects, maintainers can showcase their commitment to software security, boosting their reputation and increasing user trust. The badge can be added to the project description in the package registry it belongs to (like PyPI), or to its GitHub README file.

Why should you use the Community badge?

The Community badge is a practical tool for software maintainers. It helps you:

Display package status and highlight its security details. The badge is the fastest way to showcase project health and display the package name and version.
Increase discoverability and build credibility. Using a badge from a well-known service like Spectra Assure Community shows that your project relies on professional tools and takes security seriously.
Simplify communication and provide quick links. Make it easier for people to skim through and understand your project. By clicking on the badge, developers can be taken straight to the Spectra Assure Community package report.

How to generate the Community badge

To create the Community badge, insert it as an image in either Markdown or HTML into the project description or README file.

The image link must be in the following format:

https://secure.software/repository/badge/project-name

where you need to replace repository and project-name with information relevant to your software package. This inserts the badge as an image with information about the latest published package version. The information in the image automatically refreshes when a new version is published and analyzed.

You can make the image open the package report when clicked. To do this, copy the report link from Spectra Assure Community and add it to the image in the appropriate format (Markdown or HTML).

Markdown with report link
HTML with report link

[![Spectra Assure Community Badge](https://secure.software/pypi/badge/example-project)](https://secure.software/pypi/packages/example-project)

<a href="https://secure.software/pypi/packages/example-project">
  <img src="https://secure.software/pypi/badge/example-project" alt="Spectra Assure Community Badge">
</a>

The following examples from real ReversingLabs projects show what the badge looks like when it's generated:

Get started with Spectra Assure Community

View the Community report​

Sidebar​

Report content​

Navigate the Overview section​

Understand the SAFE verdict​

How is the final verdict determined?​

Share Community reports​

Create the Community badge​

Why should you use the Community badge?​

How to generate the Community badge​