Add proxy support for pypi package managers (#150)

Sahilb315 · web-flow · commit f1891271c122 · 2026-02-05T13:30:27.000+05:30
* initial pypi registry implementation

* support proxy mode for pypi package managers

* support proxy mode for pypi package managers - 2

* rm default mode as proxy for pip3

* update goproxy version &amp; fix pypi proxy failing on 304

* add PIP_RETRIES=0 env

* update pmg e2e &amp; add proxy mode e2e for pypi

* rm safedep-test-pkg for pypi proxy e2e
diff --git a/.github/workflows/pmg-e2e.yml b/.github/workflows/pmg-e2e.yml
diff --git a/cmd/pypi/pip.go b/cmd/pypi/pip.go
@@ -53,5 +53,9 @@ func executePipFlow(ctx context.Context, args []string) error {
 		return fmt.Errorf("failed to create dependency resolver: %w", err)
 	}
 
+	if config.IsProxyModeEnabled() {
+		return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)
+	}
+
 	return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)
 }
diff --git a/cmd/pypi/pip3.go b/cmd/pypi/pip3.go
@@ -53,5 +53,9 @@ func executePip3Flow(ctx context.Context, args []string) error {
 		return fmt.Errorf("failed to create dependency resolver: %w", err)
 	}
 
+	if config.IsProxyModeEnabled() {
+		return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)
+	}
+
 	return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)
 }
diff --git a/cmd/pypi/poetry.go b/cmd/pypi/poetry.go
@@ -52,5 +52,9 @@ func executePoetryFlow(ctx context.Context, args []string) error {
 		return fmt.Errorf("failed to create dependency resolver: %w", err)
 	}
 
+	if config.IsProxyModeEnabled() {
+		return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)
+	}
+
 	return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)
 }
diff --git a/cmd/pypi/uv.go b/cmd/pypi/uv.go
@@ -52,5 +52,9 @@ func executeUvFlow(ctx context.Context, args []string) error {
 		return fmt.Errorf("failed to create dependency resolver: %w", err)
 	}
 
+	if config.IsProxyModeEnabled() {
+		return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)
+	}
+
 	return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)
 }
diff --git a/docs/proxy-mode.md b/docs/proxy-mode.md
@@ -31,6 +31,6 @@ proxy_mode: true
 | `pnpx`          | ✅      |
 | `bun`           | ✅      |
 | `yarn`          | ✅      |
-| `pip`           | 🕒      |
-| `uv`            | 🕒      |
-| `poetry`        | 🕒      |
+| `pip`           | ✅      |
+| `uv`            | ✅      |
+| `poetry`        | ✅      |
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250418165058-162f6b0cc319.2
 	buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.6-20250418165058-162f6b0cc319.1
 	github.com/Masterminds/semver v1.5.0
-	github.com/elazarl/goproxy v1.7.2
+	github.com/elazarl/goproxy v1.8.1
 	github.com/fatih/color v1.18.0
 	github.com/google/osv-scalibr v0.2.1
 	github.com/google/uuid v1.6.0
@@ -20,7 +20,7 @@ require (
 	github.com/spf13/pflag v1.0.10
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/term v0.34.0
+	golang.org/x/term v0.39.0
 	google.golang.org/grpc v1.72.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -213,12 +213,12 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/net v0.42.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.40.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
+	golang.org/x/tools v0.40.0 // indirect
 	golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
 	golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
diff --git a/go.sum b/go.sum
@@ -86,6 +86,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 h1:Om6kYQYDUk5wWbT0t0q6pvyM49i9XZAv9dDrkDA7gjk=
 github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
+github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
+github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/curioswitch/go-reassign v0.3.0 h1:dh3kpQHuADL3cobV/sSGETA8DOv457dwl+fbBAhrQPs=
 github.com/curioswitch/go-reassign v0.3.0/go.mod h1:nApPCCTtqLJN/s8HfItCcKV0jIPwluBOvZP+dsJGA88=
@@ -99,8 +101,8 @@ github.com/denis-tingaikin/go-header v0.5.0 h1:SRdnP5ZKvcO9KKRP1KJrhFR3RrlGuD+42
 github.com/denis-tingaikin/go-header v0.5.0/go.mod h1:mMenU5bWrok6Wl2UsZjy+1okegmwQ3UgWl4V1D8gjlY=
 github.com/dlclark/regexp2 v1.11.4 h1:rPYF9/LECdNymJufQKmri9gV604RvvABwgOA8un7yAo=
 github.com/dlclark/regexp2 v1.11.4/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
-github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
+github.com/elazarl/goproxy v1.8.1 h1:/qGpPJGgIPOTZ7IoIQvjavocp//qYSe9LQnIGCgRY5k=
+github.com/elazarl/goproxy v1.8.1/go.mod h1:b5xm6W48AUHNpRTCvlnd0YVh+JafCCtsLsJZvvNTz+E=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -563,8 +565,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -584,8 +586,8 @@ golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
+golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -598,8 +600,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -624,8 +626,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -634,8 +636,8 @@ golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
+golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -646,8 +648,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -673,8 +675,8 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
diff --git a/internal/flows/proxy_flow.go b/internal/flows/proxy_flow.go
@@ -299,6 +299,7 @@ func (f *proxyFlow) setupEnvForProxy(proxyAddr, caCertPath string) []string {
 		fmt.Sprintf("REQUESTS_CA_BUNDLE=%s", caCertPath),
 		fmt.Sprintf("PIP_CERT=%s", caCertPath),
 		fmt.Sprintf("PIP_PROXY=%s", proxyURL),
+		"PIP_RETRIES=0",
 	)
 
 	return env
diff --git a/proxy/interceptors/factory.go b/proxy/interceptors/factory.go
@@ -43,6 +43,14 @@ func (f *InterceptorFactory) CreateInterceptor(ecosystem packagev1.Ecosystem) (p
 			f.confirmationChan,
 		), nil
 
+	case packagev1.Ecosystem_ECOSYSTEM_PYPI:
+		return NewPypiRegistryInterceptor(
+			f.analyzer,
+			f.cache,
+			f.statsCollector,
+			f.confirmationChan,
+		), nil
+
 	default:
 		return nil, fmt.Errorf("proxy-based interception not yet supported for ecosystem: %s", ecosystem.String())
 	}
@@ -52,6 +60,7 @@ func (f *InterceptorFactory) CreateInterceptor(ecosystem packagev1.Ecosystem) (p
 func SupportedEcosystems() []packagev1.Ecosystem {
 	return []packagev1.Ecosystem{
 		packagev1.Ecosystem_ECOSYSTEM_NPM,
+		packagev1.Ecosystem_ECOSYSTEM_PYPI,
 	}
 }
 
diff --git a/proxy/interceptors/pypi_registry.go b/proxy/interceptors/pypi_registry.go
@@ -0,0 +1,131 @@
+package interceptors
+
+import (
+	packagev1 "buf.build/gen/go/safedep/api/protocolbuffers/go/safedep/messages/package/v1"
+	"github.com/safedep/dry/log"
+	"github.com/safedep/pmg/analyzer"
+	"github.com/safedep/pmg/proxy"
+)
+
+var pypiRegistryDomains = registryConfigMap{
+	"files.pythonhosted.org": {
+		Host:                 "files.pythonhosted.org",
+		SupportedForAnalysis: true,
+		Parser:               pypiFilesParser{},
+	},
+	"pypi.org": {
+		Host:                 "pypi.org",
+		SupportedForAnalysis: true,
+		Parser:               pypiOrgParser{},
+	},
+	// Test PyPI instance
+	"test.pypi.org": {
+		Host:                 "test.pypi.org",
+		SupportedForAnalysis: false, // Skip analysis for test PyPI
+		Parser:               pypiOrgParser{},
+	},
+	"test-files.pythonhosted.org": {
+		Host:                 "test-files.pythonhosted.org",
+		SupportedForAnalysis: false, // Skip analysis for test PyPI files
+		Parser:               pypiFilesParser{},
+	},
+}
+
+// PypiRegistryInterceptor intercepts PyPI registry requests and analyzes packages for malware
+// It embeds baseRegistryInterceptor to reuse ecosystem agnostic functionality
+type PypiRegistryInterceptor struct {
+	baseRegistryInterceptor
+}
+
+var _ proxy.Interceptor = (*PypiRegistryInterceptor)(nil)
+
+// NewPypiRegistryInterceptor creates a new PyPI registry interceptor
+func NewPypiRegistryInterceptor(
+	analyzer analyzer.PackageVersionAnalyzer,
+	cache AnalysisCache,
+	statsCollector *AnalysisStatsCollector,
+	confirmationChan chan *ConfirmationRequest,
+) *PypiRegistryInterceptor {
+	return &PypiRegistryInterceptor{
+		baseRegistryInterceptor: baseRegistryInterceptor{
+			analyzer:         analyzer,
+			cache:            cache,
+			statsCollector:   statsCollector,
+			confirmationChan: confirmationChan,
+		},
+	}
+}
+
+// Name returns the interceptor name for logging
+func (i *PypiRegistryInterceptor) Name() string {
+	return "pypi-registry-interceptor"
+}
+
+// ShouldIntercept determines if this interceptor should handle the given request
+func (i *PypiRegistryInterceptor) ShouldIntercept(ctx *proxy.RequestContext) bool {
+	return pypiRegistryDomains.ContainsHostname(ctx.Hostname)
+}
+
+// HandleRequest processes the request and returns response action
+// We take a fail-open approach here, allowing requests that we can't parse the package information from the URL.
+func (i *PypiRegistryInterceptor) HandleRequest(ctx *proxy.RequestContext) (*proxy.InterceptorResponse, error) {
+	log.Debugf("[%s] Handling PyPI registry request: %s", ctx.RequestID, ctx.URL.Path)
+
+	// Get registry configuration
+	config := pypiRegistryDomains.GetConfigForHostname(ctx.Hostname)
+	if config == nil {
+		// Shouldn't happen if ShouldIntercept is working correctly
+		log.Warnf("[%s] No registry config found for hostname: %s", ctx.RequestID, ctx.Hostname)
+		return &proxy.InterceptorResponse{Action: proxy.ActionAllow}, nil
+	}
+
+	// Skip analysis for registries that are not supported for analysis
+	if !config.SupportedForAnalysis {
+		log.Debugf("[%s] Skipping analysis for %s registry (not supported for analysis): %s",
+			ctx.RequestID, config.Host, ctx.URL.String())
+		return &proxy.InterceptorResponse{Action: proxy.ActionAllow}, nil
+	}
+
+	// Parse URL using registry-specific strategy
+	pkgInfo, err := config.Parser.ParseURL(ctx.URL.Path)
+	if err != nil {
+		log.Warnf("[%s] Failed to parse PyPI registry URL %s for %s: %v",
+			ctx.RequestID, ctx.URL.Path, config.Host, err)
+		return &proxy.InterceptorResponse{Action: proxy.ActionAllow}, nil
+	}
+
+	// Only analyze actual file downloads (sdist or wheel)
+	// Metadata requests (Simple API or JSON API) are allowed through
+	if !pkgInfo.IsFileDownload() {
+		log.Debugf("[%s] Skipping analysis for metadata request: %s", ctx.RequestID, pkgInfo.GetName())
+		return &proxy.InterceptorResponse{Action: proxy.ActionAllow}, nil
+	}
+
+	// Ensure we have both name and version for analysis
+	if pkgInfo.GetName() == "" || pkgInfo.GetVersion() == "" {
+		log.Warnf("[%s] Incomplete package info from URL %s: name=%s, version=%s",
+			ctx.RequestID, ctx.URL.Path, pkgInfo.GetName(), pkgInfo.GetVersion())
+		return &proxy.InterceptorResponse{Action: proxy.ActionAllow}, nil
+	}
+
+	// Get file type for logging if available
+	fileType := ""
+	if pypiInfo, ok := pkgInfo.(*pypiPackageInfo); ok {
+		fileType = pypiInfo.FileType()
+	}
+	log.Debugf("[%s] Analyzing PyPI package: %s@%s (type: %s)",
+		ctx.RequestID, pkgInfo.GetName(), pkgInfo.GetVersion(), fileType)
+
+	result, err := i.analyzePackage(
+		ctx,
+		packagev1.Ecosystem_ECOSYSTEM_PYPI,
+		pkgInfo.GetName(),
+		pkgInfo.GetVersion(),
+	)
+	if err != nil {
+		log.Errorf("[%s] Failed to analyze package %s@%s: %v", ctx.RequestID, pkgInfo.GetName(), pkgInfo.GetVersion(), err)
+		return &proxy.InterceptorResponse{Action: proxy.ActionAllow}, nil
+	}
+
+	return i.handleAnalysisResult(ctx, packagev1.Ecosystem_ECOSYSTEM_PYPI, pkgInfo.GetName(), pkgInfo.GetVersion(), result)
+}
diff --git a/proxy/interceptors/pypi_url_parser.go b/proxy/interceptors/pypi_url_parser.go
diff --git a/proxy/interceptors/pypi_url_parser_test.go b/proxy/interceptors/pypi_url_parser_test.go

Original file line number	Diff line number	Diff line change
`@@ -53,5 +53,9 @@ func executePipFlow(ctx context.Context, args []string) error {`
`53`	`53`	`return fmt.Errorf("failed to create dependency resolver: %w", err)`
`54`	`54`	`}`
`55`	`55`
	`56`	`+ if config.IsProxyModeEnabled() {`
	`57`	`+ return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
	`58`	`+ }`
	`59`	`+`
`56`	`60`	`return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
`57`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,5 +53,9 @@ func executePip3Flow(ctx context.Context, args []string) error {`
`53`	`53`	`return fmt.Errorf("failed to create dependency resolver: %w", err)`
`54`	`54`	`}`
`55`	`55`
	`56`	`+ if config.IsProxyModeEnabled() {`
	`57`	`+ return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
	`58`	`+ }`
	`59`	`+`
`56`	`60`	`return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
`57`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,5 +52,9 @@ func executePoetryFlow(ctx context.Context, args []string) error {`
`52`	`52`	`return fmt.Errorf("failed to create dependency resolver: %w", err)`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ if config.IsProxyModeEnabled() {`
	`56`	`+ return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
	`57`	`+ }`
	`58`	`+`
`55`	`59`	`return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
`56`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,5 +52,9 @@ func executeUvFlow(ctx context.Context, args []string) error {`
`52`	`52`	`return fmt.Errorf("failed to create dependency resolver: %w", err)`
`53`	`53`	`}`
`54`	`54`
	`55`	`+ if config.IsProxyModeEnabled() {`
	`56`	`+ return flows.ProxyFlow(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
	`57`	`+ }`
	`58`	`+`
`55`	`59`	`return flows.Common(packageManager, packageResolver).Run(ctx, args, parsedCommand)`
`56`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -299,6 +299,7 @@ func (f *proxyFlow) setupEnvForProxy(proxyAddr, caCertPath string) []string {`
`299`	`299`	`fmt.Sprintf("REQUESTS_CA_BUNDLE=%s", caCertPath),`
`300`	`300`	`fmt.Sprintf("PIP_CERT=%s", caCertPath),`
`301`	`301`	`fmt.Sprintf("PIP_PROXY=%s", proxyURL),`
	`302`	`+ "PIP_RETRIES=0",`
`302`	`303`	`)`
`303`	`304`
`304`	`305`	`return env`