A tool has been launched to scans Python environments for packages with known vulnerabilities dubbed ‘Pip-audit’ leverages the PyPI JSON API to compare dependencies against the Python Packaging Advisory Database a repository of security advisories that in turn collects much of its data from the NVD .
Users can alternatively audit dependencies against the Open Source Vulnerabilities database. Dependencies can be audited with system packages included or excluded from the scan, with or without CVE descriptions, and for a given requirements file. Scan results, which can be presented in JSON format, include package names, version IDs, fixed versions, and CVE descriptions.
The tool is not the only application that scans for flaws in Python environments, with existing alternatives including Safety, Snyk for Python, GitHub’s Dependabot, and OWASP Dependency Check.
We wanted to build a tool that didn’t have any financial or licensing strings attached. Snyk and Safety are wonderful additions to the security ecosystem, but both require some level of paid subscription for their functionality.
They wanted pip-audit to eventually be integrated into ‘pip’ itself. Pip’s support guarantees, stringent dependency requirements, and CLI design would have made adapting a previous tool into a serious undertaking
The lack of a severity rating does make the verification step more involved, but this looks to be based on how [the Python Packaging Advisory Database] stores its results.
Pip-audit project is one of many open source security initiatives being supported by Google. In recent months, for instance, Google has sponsored security reviews of eight open source projects, and contributed to a NIST project focused on creating federal government guidelines for procuring secure software, among other examples.