Early Access

Python Package

Security Overview

Overview of all security checks available in ManifestGuard.

Early Access: Until 2026-12-31

← Back Overview Requirements

mgpy uses a layered security strategy: repository hygiene, build validation, runtime licensing and release verification all support each other.

Key points

• CLI: On Windows the examples use the recommended py -3.12 -m <module> ... form (for example py -3.12 -m manifestguard ...). On Linux/macOS this usually maps to python3.12 -m ....
• Security does not stop at source code and must include wheels, hooks, CI and local activation data.
• Inline suppressions are exception tools, not the standard workflow.
• A secure release path is only credible when local and CI checks cover the same risks.

Recommended mgpy workflow

1. Review development, build and distribution concerns separately, then merge them into one release view.
2. Run the pre-release check and security scan together before every release.
3. Treat license status, artifact content and static findings as one approval package.

Quick start

invoke pre-release-check
invoke security-scan
py -3.12 -m manifestguard license status

Requirements

Columns

Requirement Version / Status Notes

Show hidden rows

Requirement	Version / Status	Notes
Installation interpreter	Python 3.12 + pip	Recommended default path for installation and CLI calls.
Project target versions	Python 3.8 to 3.12	These are the project/runtime targets mgpy can analyze.
mgpy runtime	Validated on Python 3.10 to 3.13	The tool runtime itself is covered for this range.
CLI invocation	Windows: py -3.12 -m manifestguard	Linux/macOS usually maps to python3.12 -m manifestguard.
Runtime packages	tomlkit, click, pydantic, packaging, watchdog, PyNaCl, rfc8785	tomli is only added for Python below 3.11.
Offline / wheel install	Optional via pip --no-index or wheel	Useful for air-gapped or approved bundle distribution paths.