OSS Package Search
Available for Enterprise Tier Only
OSS Package Search lets you quickly identify where specific open-source packages appear across your organization — from pull requests and repositories to developer machines. When a package is found to be compromised or vulnerable, you can use this feature to understand your blast radius and take targeted remediation steps.
You can search at the organization level or across your entire tenant, depending on your scope of access.
Supported ecosystems
OSS Package Search supports the following package ecosystems:
npm — the Node.js package registry
PyPI — the Python Package Index
Select the ecosystem from the Package ecosystem toggle at the top of the search form.
Search Scope
OSS Package Search covers two surfaces:
CI/CD and Repositories — identifies where a package was introduced across pull requests and default branches. Results link directly to the PR where the dependency was added, so you can revert or patch it quickly.
Developer Machines — identifies where a package is installed on developer endpoints, including packages installed by AI coding agents and tools. For each match, the search returns the exact file path and package manager used, which you can use to build an MDM or EDR remediation script and verify removal after cleanup.
Supported Files
OSS Package Search inspects the following dependency and lock files when indexing packages from CI/CD pipelines, repositories, and developer machines.
npm ecosystem
npm
package-lock.json
Yarn
yarn.lock
pnpm
pnpm-lock.yaml, pnpm-lock.yml
Bun
bun.lock
PyPI ecosystem
pip
requirements*.txt, requirements*.in, files inside a requirements/ directory, setup.py, setup.cfg
Poetry
poetry.lock
uv
uv.lock
Pipenv
Pipfile.lock
Conda
environment.yml, environment.yaml
PyLock
pylock.toml, pylock.<name>.toml
How to Use OSS Package Search
Step 1: Navigate to StepSecurity Dashboard → OSS Package Search
Step 2: Configure your search filters
Search Scope — choose Organization Search to search within your current organization, or Tenant Search to search across all organizations in your tenant.
Package ecosystem — choose npm or PyPI.
Search Type — choose Custom Search to specify packages manually, or Compromised Packages Search to focus on known compromised or vulnerable packages.
Repository — optionally narrow results to a specific repository.
Seen In — filter by where the package was detected. Options include All (PRs, Default Branch & Dev Machines), or a specific surface.
Time Range — optionally select a date range to limit results.
Step 3: Add the packages you want to search for.
Enter a package name and, if applicable, one or more specific versions. Click Add Package to add more packages to the same search. Results can be exported as CSV.
Step 4: Run the search and review results.
Matching results show the default branches, PRs and developer machines where the package was found. Click any result to view details — for CI/CD results this links to the corresponding pull request; for developer machine results this shows the install path and package manager.
Step 5: Remediate
For CI/CD findings, revert the affected PR or patch the dependency directly.
For developer machine findings, use the file path information to build a removal script via your MDM or EDR tooling. After running the script, rescan the device to confirm the package is no longer present.
Follow this interactive demo to see how this works:
For a complete guide to preventing, detecting, and responding to npm attacks, see NPM Supply Chain Security
Last updated
Was this helpful?