Get started with Spectra Assure Community

ReversingLabs Spectra Assure Community is a free-to-use, no-registration-required platform where software developers, DevOps engineers, and IT security specialists can check the security status of widely distributed developer tools and open source software packages from the most popular communities.

It monitors the largest open source package and developer tool repositories to identify malware, code tampering, and indicators of software supply chain attacks, and provides comprehensive risk analysis in the form of a report. The contents of those repositories are continually analyzed by ReversingLabs and the latest findings are immediately available on the Spectra Assure Community website.

To start using Spectra Assure Community, go to the official Community website, search for a package, and select it in the list of results to view its report.

View the Community report

The Spectra Assure Community report on each open source package or developer tool provides a condensed overview of any potential risks detected during analysis.

Thanks to this format, users of all levels of experience and knowledge can understand which issues are cause for concern. This simplifies comparing multiple versions of the same open source package, and speeds up decisions on whether to use a particular package in a software project.

The package report is divided into:

• Report header
• Report tabs

To better understand how the page is organized, use this interactive visualization.

Report header

The report header shows the key risks in the analyzed software package and provides insight into its quality at a glance. It is the fixed part of the report, visible at all times when switching between different report sections, and contains the following:

1. Header frame, whose color matches the SAFE verdict, containing said SAFE verdict and the elapsed time since last scan
2. Package name and other metadata, including description, license information, and publish date. If applicable, here you can also find links to its GitHub repository, page on the community it belongs to, and the following categories:
   • Latest, if the version is tagged as latest on the official repository
   • Key project, if it's on the ReversingLabs list of key or most popular projects in its community
   • Top 10/100/1k/10k, if it's on the list of top X packages based on the total number of downloads
3. Version dropdown, where you can choose a version of the package to view its report. For some communities (like PyPI), there is an additional dropdown, from which you can choose the package artifact
4. Actions button, from which you can open the official project homepage (if applicable), create a Community badge, copy package hash, or copy package purl
5. SAFE Assessment, a summary of key risks or safety concerns found in your software, grouped according to their shared characteristics. Equivalent to the SAFE Assessment panel on the SAFE report summary page
6. Known incidents, if any removal or malware incidents have been detected for the package and on which version. For packages that had an incident in the two years before the latest published version, the latest version with an incident is linked

Report tabs

Use the tabs below the report header to navigate between different report sections. These tabs are always visible, so you can access them from every part of the report.

The report contains the following sections:

• Overview - key information about the package (such as publishing date and other metadata), analysis summary, popularity information and more, organized by category
• Issues - detected software quality issues with the number of affected components and violated policies
• Vulnerabilities - detected known vulnerabilities affecting the software package and the components it embeds
• Behaviors - software behaviors discovered with static code analysis
• Dependencies - direct dependencies declared by the software package through its manifest. The full list can be exported in the CycloneDX format
• Contributors - a historical list of all known contributors who worked on the software package
• Versions - a historical list of all previously published software package versions

For every report section, each tab shows the total number of detected items next to the section name.

Overview is the main report section, and it opens as the landing page when you select the package name in the search results.

Navigate the Overview section

The Overview report section shows the key risks in the analyzed software package. The look and feel of the Overview section is quite similar to the SAFE report Summary page.

For every package on Spectra Assure Community, Overview contains the following:

• Popularity cards - total number of downloads, contributors, dependencies declared in the package manifest, and packages that depend on this package version (dependents). The numbers on the Contributor and Declared Dependencies cards are clickable and take you to the corresponding tabs in the report
• Top issues - the top 5 most severe issues detected in the package version. Expand any issue in the list to see its description, prevalence in the community, and next steps needed to resolve it. Selecting the issue number takes you to the corresponding policy page in the docs, while clicking on See all issues takes you to the corresponding tab in the report
• Top behaviors - the top 5 most interesting behaviors detected in the package version. Expand any behavior in the list to see its prevalence in the community. Clicking on See all behaviors takes you to the corresponding tab in the report
• Top vulnerabilities - a graph visualizing a vulnerability exploitation lifecycle. Clicking on See all vulnerabilities takes you to the corresponding tab in the report
• FAQ section - a summary of all information from the Overview page

Understand the SAFE verdict

The SAFE verdict is an indicator of package version safety determined by a variety of factors for packages in Spectra Assure Community. These factors include:

• recorded incidents
• ReversingLabs engine analysis results
• package popularity

Before using an open source package, developers should consider other factors not included in the verdict to check how susceptible the package is to risks. These factors include the number of maintainers, package release history, handling of vulnerabilities, and more.

How is the final verdict determined?

If a sample is available on its official repository, it's processed with Spectra Core. In this case, its SAFE assessment also impacts its final verdict.

During analysis, Spectra Assure Community evaluates the whole range of versions expected by the declared dependencies and updates the verdict to capture all risks. This stems from the fact that some older issues or threats may be overlooked if the latest versions of dependencies, which usually contain fixes, are taken into account instead.

The table lists all possible verdict statuses for packages and the reasoning behind each.

Verdict	Description
pass	The verdict is pass for a package when: Spectra Core analysis has produced a pass status for the package that has just been published and belongs to the list of top 10k projects by popularity. The pass status indicates that no obvious risks have been found in the package. The package has been published more than 2 weeks ago and no obvious risks are found during analysis.
fail	The verdict is fail for a package when: Spectra Core analysis has produced a fail status. A package version has had any incidents recorded. These incidents include the presence of malware in a package or the removal of said package from the official repository. All detected incidents are ordered chronologically on the package summary page. They can be reported by someone from the community or an RL researcher after using manual triage. When policies automatically trigger during analysis, the incident is said to be reported automatically by RL engine (RL (automated)). A sample is not available for an old package because it has been removed from the official package repository; however, its existence has been confirmed by the metadata. Every repository handles these packages differently. For example, npm replaces the removed package with a placeholder version, also known as a security holding package.
warn	The verdict is warn when Spectra Core analysis has produced a warning status due to a warning on one of the SAFE assessment categories.
pending	The verdict is pending for a package when: A package has just been published and is being analyzed by Spectra Core. A package has been analyzed, but RL researchers need some time to check it manually. Additionally, it does not appear on the list of top 10k projects by popularity.

Share Community reports

When you share the link to a Spectra Assure Community report on social media, the link preview is automatically generated.

All vital information on the package (its name, version, verdict, and SAFE Assessment) is shown in the link preview image. From the preview, everyone who receives the link can assess the software quality at a glance and quickly decide whether to use the package in their software product.

For example, sharing the link https://secure.software/pypi/packages/rl-deploy generates the following preview image:

Create the Community assessment badge

The Community assessment badge is a small image that links to the Spectra Assure Community package report and precisely indicates package security health in real time. It offers a quick way to share important information about a package (name, version, verdict) and access its Spectra Assure Community report.

By generating the Community assessment badge for their projects, maintainers can showcase their commitment to software security, boosting their reputation and increasing user trust. The badge can be added to the project description in the package registry it belongs to (like PyPI), or to its GitHub README file.

Why should you use the Community assessment badge?

The Community assessment badge is a practical tool for software maintainers. It helps you:

• Display package status and highlight its security details. The badge is the fastest way to showcase project health and display the package name and version.

• Increase discoverability and build credibility. Using a badge from a well-known service like Spectra Assure Community shows that your project relies on professional tools and takes security seriously.

• Simplify communication and provide quick links. Make it easier for people to skim through and understand your project. By clicking on the badge, developers can be taken straight to the Spectra Assure Community package report.

How to generate the Community assessment badge

To generate the Community assessment badge for a package, navigate to the package page on the Community website. In the report header, click on Actions > Create badge. This opens a pop-up that shows you the preview of the badge and allows you to copy Markdown for:

• a specific version (the package version whose page you're currently on)
• the latest version (without specified version; the badge automatically updates itself as soon as a new package version is released)

For some communities (like PyPI), the specific version link will also include either the package artifact or the one you choose.

Markdown with report link (specific version and artifact)

[![Spectra Assure Community Badge](https://secure.software/community/badge/example-project/specific-version/artifact)](https://secure.software/community/packages/example-project/specific-version)

Markdown with report link (latest version - auto-updating)

[![Spectra Assure Community Badge](https://secure.software/community/badge/example-project)](https://secure.software/community/packages/example-project)

After copying Markdown, you can insert it into the project description or README file. When you click on the badge, it opens the package report on the Community web.

The following examples from real ReversingLabs projects show what the badge looks like when it's generated:

• reversinglabs-sdk-py3
• rl-deploy