[Feature Request] Add uv audit Command for Security Vulnerability Scanning

[31z4]

Problem

Currently, there's no integrated way to audit dependencies defined in pyproject.toml and uv.lock against known security vulnerabilities in the Python Packaging Advisory Database. This creates security risks and workflow inefficiencies:

• Dependencies across different groups cannot be audited in a single operation
• Current solutions require additional tools and complex workflows
• Cross-platform compatibility issues with existing solutions
• Risk of auditing outdated or incorrect dependency sets

Proposed Solution

Implement a native uv audit command that would:

1. Read dependencies from both pyproject.toml and uv.lock
2. Check all locked dependencies (including all dependency groups) against the Python Packaging Advisory Database
3. Generate a security report highlighting:
   • Identified vulnerabilities
   • Affected versions
   • Available fixes

Example usage:

# Audit all dependencies
uv audit

# Audit specific dependency groups
uv audit --group dev,test

# Output in different formats
uv audit --format json

Benefits

• Improved Security: Integrated security scanning as part of the uv toolchain
• Better Performance: Native implementation could offer significant speed improvements (assuming that querying the Python Packaging Advisory Database isn't a bottleneck)
• Cross-Platform: Works consistently across all supported platforms
• Comprehensive Coverage:
  • Seamless support for dependency groups
  • Covers all project dependencies, not just installed packages
  • Ensures audit matches locked dependencies exactly
• Simplified Workflow:
  • No additional tools required
  • Single command for complete package security audit
  • Native integration with uv's dependency management

Alternatives Considered

1. Using pip-audit

• Current Status:
  • Limited pyproject.toml support (ref: Support for optional dependencies/extras when auditing from pyproject.toml pypa/pip-audit#766)
  • No uv.lock support
• Limitations:
  • Additional dependency requirement
  • Cross-platform inconsistencies
  • Incomplete dependency group coverage

2. Extending pip-audit for uv.lock support

• Pros:
  • Leverages existing tool
  • Community familiarity
• Cons:
  • Loses uv's performance benefits
  • Additional dependency requirement remains
  • More complex integration

3. Local environment scanning with pip-audit

• Approach: Running pip-audit -l against installed packages
• Issues:
  • Environment may not match declarations
  • Limited dependency group coverage
  • Platform-specific behavior

4. Requirements.txt generation and scanning with pip-audit

• Approach: Convert uv.lock to requirements.txt format for scanning
• Issues:
  • Additional synchronization overhead
  • Platform compatibility issues
  • Complex workflow

Additional Context

• Related Issue: Security check before installation discussion (✨[Feature Request]: Filter uv install by Python Package Authority's Security Advisory Database.✨ #8842)
• Implementation Interest: I'm willing to contribute to the implementation pending community feedback
• Similar Features:
  • cargo audit (Rust)
  • npm audit (Node.js)
  • composer audit (PHP)

Next Steps

1. Gather community feedback on the proposed approach
2. Discuss implementation details if approved
3. Define specific behavior for edge cases
4. Determine output format standards

---

💡 Please share your thoughts on this proposal, particularly regarding:

• Preferred output formats
• Specific use cases to consider

[woodruffw]

For prior art: take a look at pip-audit, which currently interoperates with pip and the other PyPA tooling.

Based on our experience with that tool, some scattered thoughts:

• Avoid security fatigue: all developers are susceptible to security fatigue, and auditing tools in particular eat into the "fatigue budget" more than most other tools. We try to minimize fatigue in pip-audit by making it an independent flow, i.e. not spitting out warnings or errors on every pip install, since we think users are more likely to just ignore security advisories if we force them in their faces.
• Be aware of quality issues: the PyPA advisory database is curated, but low-quality submissions and vulnerability spam/reputation-seeking chum can still make its way in. Having a system by which end users can ignore obviously bogus or irrelevant reports is a good day 1 feature to have 🙂
• Be aware of current fidelity gaps in Python advisory reporting: Python package advisories currently operate at the (name, version) scope, but many vulnerabilities are more specific than that: they either apply only to binary builds (wheels) of packages, or onto to specific API surfaces, etc. There's a long-term plan to increase the fidelity in reports (e.g. to expose which files within a release are vulnerable, or which API surfaces are vulnerable), but it's worth noting that the current level of fidelity will cause false positives.

[saada]

In the meantime, this seems to work fairly well

uvx pip-audit -r requirements.txt --fix

[strayer]

I had some issues with pip-audit trying to install pip (subprocess.CalledProcessError: Command '['/var/folders/n9/kcz03p6n2pb5xchxn1ywm4640000gn/T/tmp74_otz01/bin/python3.11', '-m', 'ensurepip', '--upgrade', '--default-pip']' died with <Signals.SIGABRT: 6>), so this is what I'm doing for now:

uv export --format requirements-txt > requirements.txt && uvx pip-audit -r requirements.txt --disable-pip && rm requirements.txt

Seems to work very well too.