AuraBorealisApp – Do You Know What’s In Your Python Packages? A Tool For Visualizing Python Package Registry Security Audit Data

AuraBorealis is a web application for visualizing anomalous and potentially malicious code in Python package registries. It uses security audit data produced by scanning the Python Package Index (PyPI) via Aura, a static analysis designed for large scale security auditing of Python packages. The current tool is a proof-of-concept, and includes some live Aura data, as well as some mockup data for demo purposes.

Current features include:

  • Scanning the entire python package registry to:
    • List packages with the highest number of security warnings, sorted by Aura warning type
    • List packages sorted by the total and unique count of warnings
    • List packages by their overall severity score
  • Displaying security warnings for an individual package, sorted by criticality
  • Visualize the line numbers and lines of code in files generating security warnings for a specific package
  • Compare two packages for security warnings


Turn on your VPN (at IQT)

Clone the repository.

git clone

Navigate to aura-borealis-flask-app directory.

cd aura-borealis-flask-app

Install dependencies.

pip install -r requirements.txt

Run the app.


Navigate to the URL via a browser.
Feature Roadmap

  • Compare a package to a benchmark profile of packages of similar purpose for security warnings
  • Compare different versions of the same package for security warnings
  • List packages that have changes in their warnings and/or severity score between two dates
  • Ability to scan an internal package/registry that’s not public on PyPI
  • Display an analysis of permissions (does this package make a network connection? Does this package require OS-level library permissions?)

Contact Information (John Speed Meyers, IQT Labs, Secure Code Reuse project lead).

The lead developer and creator of Aura is Martin Carnogusky of
Related Work

Download AuraBorealisApp

Leave a Reply

Your email address will not be published. Required fields are marked *