pip-audit: scanning Python environments for packages with known vulnerabilities
pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports.
This project is developed by Trail of Bits with support from Google. This is not an official Google product.
- Support for auditing local environments and requirements-style files
- Support for multiple vulnerability services (PyPI, OSV)
- Support for emitting SBOMs in CycloneDX XML or JSON
- Human and machine-readable output formats (columnar, JSON)
- Seamlessly reuses your existing local pip caches
This section exists to describe the security assumptions you can and must not make when using pip-audit.
TL;DR: If you wouldn’t pip-audit it, you should not pip audit it.
pip-audit is a tool for auditing Python environments for packages with known vulnerabilities. A “known vulnerability” is a publicly reported flaw in a package that, if uncorrected, might allow a malicious actor to perform unintended actions.
pip-audit can protect you against known vulnerabilities by telling you when you have them, and how you should upgrade them. For example, if you have somepackage==1.2.3 in your environment, pip-audit can tell you that it needs to be upgraded to 1.2.4.
You can assume that pip-audit will make the best effort to fully resolve all of your Python dependencies and either fully audit each or explicitly state which ones it has skipped, as well as why it has skipped them.
pip-audit is not a static code analyzer. It analyzes dependency trees, not code, and it cannot guarantee that arbitrary dependency resolutions occur statically. To understand why this is, refer to Dustin Ingram’s excellent post on dependency resolution in Python.
As such: you must not assume that pip-audit will defend you against malicious packages. In particular, it is incorrect to treat pip-audit -r INPUT as a “more secure” variant of pip-audit. For all intents and purposes, pip-audit -r INPUT is functionally equivalent to pip install -r INPUT, with a small amount of non-security isolation to avoid conflicts with any of your local environments.
pip-audit requires Python 3.6 or newer, and can be installed directly via pip:
python -m pip install pip-audit
Copyright (C) 2021 trailofbits