safety v2.4.0b1 releases: checks your installed dependencies for known security vulnerabilities
Safety is a command-line tool. Use it to check your local virtual environment, your requirement files, or any input from stdin for dependencies with security issues.
If you are using something insecure, you’ll get a report on what exactly is affected.
See what is vulnerable
Safety CI integrates with your GitHub account, just like tests do. You’ll get a status on every pull request and on each and every commit – across all your branches.
See what exactly is wrong
If you are using a dependency with a known security vulnerability, checks on GitHub will fail and you’ll get a link to a page with details about the vulnerability. This allows you to check if you are affected and gives you all the details straight from the source.
Changelog v2.4.0beta1
- Added support for coma separated ignore (–ignore=123,456) on top of existing –ignore=123 –ignore=456
- Added support for requirements per package. Safety can check, report, suggest, and apply remediations for unpinned requirements.
- Added support for unpinned requirements in the Safety GitHub action. This feature doesn’t support old-version reports.
- Added support for HTML5 output and the ability to save the report as an HTML5 file.
- Started to use schema 2.0 of the PyUp vulnerability database.
- Fixed packaging dependency issue and their deprecation of LegacyVersion class.
- Narrowed down the allowed versions in the Safety dependencies.
- Added local announcements.
- This version makes changes in the JSON report, these aren’t breaking changes, but these may need adjustment if you are ingesting the JSON report.
- Added ability to ignore unpinned requirements.
Installation
pip install safety
Use
By default, it uses the open Python vulnerability database Safety DB but can be upgraded to use pyup.io’s Safety API using the –key option.
To check your currently selected virtual environment for dependencies with known security vulnerabilities, run:
safety check
You should get a report similar to this:
Copyright (c) 2016, pyup.io
Source: https://github.com/pyupio/
