Detection of malicious software packages

What is claimed is: 1. A method comprising: identifying, by a processor executing a security tool, a plurality of components contained in a software package comprising one of a java archive (JAR) file, an Android application package, a docker image, a container file, or a virtual machine image; comparing, by the processor, the plurality of components contained in the software package to a list of known components; classifying, by the processor, the software package as insecure when at least one of the plurality of compared components matches an insecure component on the list of known components, or as secure when each of the plurality of compared components matches a corresponding secure component on the list of known components; preventing, by the processor executing the security tool, addition of the software package to a software repository when the software package is classified as insecure; and in response to the at least one of the plurality of compared components matching the insecure component, providing, by the processor executing the security tool, an interface to enable a user to request the at least one of the plurality of compared components of the software package be added as a secure component on the list of known components. 2. The method of claim 1 , wherein comparing the plurality of components comprises comparing a hashed version of the plurality of components contained in the software package to hashed versions of insecure components on the list of known components. 3. The method of claim 1 , wherein the software package is a new software package added to the software repository. 4. The method of claim 1 , wherein the plurality of components contained in the software package comprises an archival file contained in the software package. 5. The method of claim 1 , wherein the software package comprises a container file and wherein the software repository comprises a container repository. 6. The method of claim 1 , wherein the software package comprises a virtual machine image and wherein the software repository comprises a virtual machine repository. 7. The method of claim 1 , wherein the software package comprises a docker image file and wherein the software repository comprises one of a docker registry and a docker repository. 8. The method of claim 1 further comprising, allowing, by the processor, addition of the software package to the software repository when the software package is classified as secure. 9. A non-transitory computer readable medium comprising instructions to cause a processor to: identify, by the processor executing a security tool, a plurality of components contained in a software package comprising one of a Java archive (JAR) file, an Android application package, a docker image, a container file, or a virtual machine image; compare, by the processor, the plurality of components contained in the software package to a list of known components; classify, by the processor, the software package as insecure when at least one of the plurality of compared components matches an insecure component on the list of known components, or as secure when each of the plurality of compared components matches a corresponding secure component on the list of known components; prevent, by the processor executing the security tool, addition of the software package to a software repository when the software package is classified as insecure; and in response to the at least one of the plurality of compared components matching the insecure component, provide, by the processor executing the security tool, an interface to enable a user to request the at least one of the plurality of compared components of the software package be added as a secure component on the list of known components. 10. The non-transitory computer readable medium of claim 9 , wherein to compare the plurality of components comprises the processor to compare a hashed version of the plurality of components contained in the software package to hashed versions of insecure components on the list of known components. 11. The non-transitory computer readable medium of claim 9 , wherein the plurality of components contained in the software package comprise an archival file contained in the software package. 12. The non-transitory computer readable medium of claim 9 , wherein the software package comprises a container file and wherein the software repository comprises a container repository. 13. The non-transitory computer readable medium of claim 9 , wherein the software package comprises a virtual machine image and wherein the software repository comprises a virtual machine repository. 14. The non-transitory computer readable medium of claim 9 , wherein the software package comprises a docker image file and wherein the software repository comprises one of a docker registry and a docker repository. 15. An apparatus comprising: a memory to contain instructions; and a processor, operatively coupled to the memory, to execute a security tool, the processor to: identify plurality of components contained in a software package comprising one of a Java archive (JAR) file, an Android application package, a docker image, a container file, or a virtual machine image; compare the plurality of components contained in the software package to a list of known components; classify the software package as insecure in response to at least one of the plurality of compared components matching an insecure component on the list of known components, or as secure when each of the plurality of compared components matches a corresponding secure component on the list of known components; prevent addition of the software package to a software repository when the software package is classified as insecure; and in response to the at least one of the plurality of compared components matching the insecure component, provide an interface to enable a user to request the at least one of the plurality of compared components of the software package be added as a secure component on the list of known components. 16. The apparatus of claim 15 , wherein the plurality of components contained in the software package comprises an archival file contained in the software package. 17. The apparatus of claim 15 , wherein the software package comprises a container file and wherein the software repository comprises a container repository. 18. The apparatus of claim 15 , wherein the software package comprises a virtual machine image and wherein the software repository comprises a virtual machine repository. 19. The apparatus of claim 15 , wherein the software package comprises a docker image file and wherein the software repository comprises one of a docker registry and a docker repository. 20. The apparatus of claim 15 , the processor further to, allow addition of the software package to the software repository when the software package is classified as secure.