|
| 1 | +--- |
| 2 | +name: python-pip-audit |
| 3 | +description: This skill should be used when the user asks to "audit Python dependencies for vulnerabilities", "scan requirements.txt for CVEs", "set up pip-audit", "fix vulnerable Python packages", or needs guidance on Python dependency security scanning with pip-audit. |
| 4 | +--- |
| 5 | + |
| 6 | +# Python pip-audit Dependency Security Scanning |
| 7 | + |
| 8 | +pip-audit scans Python environments and requirements files for packages with known vulnerabilities. It queries the Python Packaging Advisory Database via the PyPI JSON API and the OSV database, reporting CVEs, GHSA IDs, and fix versions. |
| 9 | + |
| 10 | +## Installation |
| 11 | + |
| 12 | +Install pip-audit into the project's virtual environment or as a standalone tool: |
| 13 | + |
| 14 | +```bash |
| 15 | +# Into active virtual environment |
| 16 | +pip install pip-audit |
| 17 | + |
| 18 | +# Isolated global install (preferred for CI) |
| 19 | +pipx install pip-audit |
| 20 | + |
| 21 | +# Via conda |
| 22 | +conda install -c conda-forge pip-audit |
| 23 | +``` |
| 24 | + |
| 25 | +pip-audit requires Python 3.10 or newer. |
| 26 | + |
| 27 | +## Core Usage |
| 28 | + |
| 29 | +**Audit the current environment:** |
| 30 | + |
| 31 | +```bash |
| 32 | +pip-audit |
| 33 | +``` |
| 34 | + |
| 35 | +**Audit a requirements file:** |
| 36 | + |
| 37 | +```bash |
| 38 | +pip-audit -r requirements.txt |
| 39 | +``` |
| 40 | + |
| 41 | +**Audit a local Python project (reads `pyproject.toml` or `pylock.*.toml`):** |
| 42 | + |
| 43 | +```bash |
| 44 | +pip-audit . |
| 45 | +``` |
| 46 | + |
| 47 | +**Audit lock files only:** |
| 48 | + |
| 49 | +```bash |
| 50 | +pip-audit --locked . |
| 51 | +``` |
| 52 | + |
| 53 | +**Exclude system packages (useful inside virtual environments):** |
| 54 | + |
| 55 | +```bash |
| 56 | +pip-audit -r requirements.txt -l |
| 57 | +``` |
| 58 | + |
| 59 | +## Vulnerability Services |
| 60 | + |
| 61 | +pip-audit supports two vulnerability data sources: |
| 62 | + |
| 63 | +| Service | Flag | Default | |
| 64 | +|---|---|---| |
| 65 | +| PyPI JSON API | `-s pypi` | Yes | |
| 66 | +| OSV (Open Source Vulnerabilities) | `-s osv` | No | |
| 67 | + |
| 68 | +Use OSV for broader advisory coverage across multiple ecosystems: |
| 69 | + |
| 70 | +```bash |
| 71 | +pip-audit -r requirements.txt -s osv |
| 72 | +``` |
| 73 | + |
| 74 | +Switch the OSV API endpoint (e.g., for self-hosted instances): |
| 75 | + |
| 76 | +```bash |
| 77 | +pip-audit -r requirements.txt -s osv --osv-url https://api.osv.dev/v1/query |
| 78 | +``` |
| 79 | + |
| 80 | +## Output Formats |
| 81 | + |
| 82 | +```bash |
| 83 | +pip-audit -f columns # Default columnar output |
| 84 | +pip-audit -f json # Machine-readable JSON |
| 85 | +pip-audit -f markdown # Markdown table |
| 86 | +pip-audit -f cyclonedx-json # CycloneDX SBOM (JSON) |
| 87 | +pip-audit -f cyclonedx-xml # CycloneDX SBOM (XML) |
| 88 | +``` |
| 89 | + |
| 90 | +Save output to a file: |
| 91 | + |
| 92 | +```bash |
| 93 | +pip-audit -f json -o audit-report.json |
| 94 | +``` |
| 95 | + |
| 96 | +Include vulnerability descriptions and alias IDs (CVE/GHSA) in output: |
| 97 | + |
| 98 | +```bash |
| 99 | +pip-audit --desc --aliases |
| 100 | +``` |
| 101 | + |
| 102 | +For JSON format, descriptions and aliases are included automatically. |
| 103 | + |
| 104 | +## Automatic Fix |
| 105 | + |
| 106 | +Upgrade vulnerable packages automatically: |
| 107 | + |
| 108 | +```bash |
| 109 | +pip-audit --fix |
| 110 | +``` |
| 111 | + |
| 112 | +Preview what would be upgraded without applying changes: |
| 113 | + |
| 114 | +```bash |
| 115 | +pip-audit --fix --dry-run |
| 116 | +``` |
| 117 | + |
| 118 | +Dry run without the `--fix` flag reports how many dependencies *would* be audited: |
| 119 | + |
| 120 | +```bash |
| 121 | +pip-audit --dry-run |
| 122 | +``` |
| 123 | + |
| 124 | +## Ignoring Specific Vulnerabilities |
| 125 | + |
| 126 | +Suppress known false positives or accepted risks using the vulnerability ID, CVE, or GHSA alias: |
| 127 | + |
| 128 | +```bash |
| 129 | +# Ignore by PYSEC ID |
| 130 | +pip-audit --ignore-vuln PYSEC-2021-666 |
| 131 | + |
| 132 | +# Ignore by CVE |
| 133 | +pip-audit --ignore-vuln CVE-2019-1010083 |
| 134 | + |
| 135 | +# Ignore by GHSA |
| 136 | +pip-audit --ignore-vuln GHSA-w596-4wvx-j9j6 |
| 137 | + |
| 138 | +# Ignore multiple |
| 139 | +pip-audit --ignore-vuln CVE-XXX-YYYY --ignore-vuln GHSA-abc-def-ghij |
| 140 | +``` |
| 141 | + |
| 142 | +Document every suppressed ID in a comment or issue tracker entry explaining why it is not applicable. |
| 143 | + |
| 144 | +## Performance: Skipping Dependency Resolution |
| 145 | + |
| 146 | +pip-audit performs its own dependency resolution by default, which can be slow. Skip resolution when inputs are already fully pinned: |
| 147 | + |
| 148 | +**Pinned without hashes (faster):** |
| 149 | + |
| 150 | +```bash |
| 151 | +pip-audit --no-deps -r requirements.txt |
| 152 | +``` |
| 153 | + |
| 154 | +**Pinned with hashes (fastest, most secure):** |
| 155 | + |
| 156 | +```bash |
| 157 | +pip-audit --require-hashes -r requirements.txt |
| 158 | +``` |
| 159 | + |
| 160 | +`--require-hashes` is equivalent to pip's hash-checking mode. It fails if any package is missing a hash, providing additional supply-chain integrity. |
| 161 | + |
| 162 | +**Audit a pre-installed environment directly (no resolution needed):** |
| 163 | + |
| 164 | +```bash |
| 165 | +pip-audit |
| 166 | +pip-audit --local # only local packages, skip globally installed |
| 167 | +``` |
| 168 | + |
| 169 | +## Exit Codes |
| 170 | + |
| 171 | +| Code | Meaning | |
| 172 | +|---|---| |
| 173 | +| `0` | No known vulnerabilities found | |
| 174 | +| `1` | One or more vulnerabilities found | |
| 175 | + |
| 176 | +Exit codes cannot be suppressed internally. Use shell idioms when needed: |
| 177 | + |
| 178 | +```bash |
| 179 | +# Continue even if vulnerabilities found |
| 180 | +pip-audit || true |
| 181 | + |
| 182 | +# Capture for custom handling |
| 183 | +pip-audit |
| 184 | +exitcode="${?}" |
| 185 | +``` |
| 186 | + |
| 187 | +## Environment Variables |
| 188 | + |
| 189 | +Configure pip-audit without flags for CI pipelines: |
| 190 | + |
| 191 | +| Variable | Equivalent flag | Example value | |
| 192 | +|---|---|---| |
| 193 | +| `PIP_AUDIT_FORMAT` | `--format` | json | |
| 194 | +| `PIP_AUDIT_VULNERABILITY_SERVICE` | `--vulnerability-service` | osv | |
| 195 | +| `PIP_AUDIT_DESC` | `--desc` | off | |
| 196 | +| `PIP_AUDIT_PROGRESS_SPINNER` | `--progress-spinner` | off | |
| 197 | +| `PIP_AUDIT_OUTPUT` | `--output` | audit-report.json | |
| 198 | + |
| 199 | +## Reporting Only Fixable Vulnerabilities |
| 200 | + |
| 201 | +Filter to only fail when vulnerabilities have known fix versions using `jq`: |
| 202 | + |
| 203 | +```bash |
| 204 | +test -z "$(pip-audit -r requirements.txt --format=json 2>/dev/null \ |
| 205 | + | jq '.dependencies[].vulns[].fix_versions[]')" |
| 206 | +``` |
| 207 | + |
| 208 | +This exits non-zero only when at least one fixable vulnerability exists. |
| 209 | + |
| 210 | +## pipenv Projects |
| 211 | + |
| 212 | +Convert `Pipfile.lock` to a requirements format and pipe directly: |
| 213 | + |
| 214 | +```bash |
| 215 | +pipenv run pip-audit -r <(pipenv requirements) |
| 216 | +``` |
| 217 | + |
| 218 | +## Private Package Indices |
| 219 | + |
| 220 | +Use `--index-url` and `--extra-index-url` to point at internal registries: |
| 221 | + |
| 222 | +```bash |
| 223 | +pip-audit -r requirements.txt \ |
| 224 | + --index-url https://pypi.example.com/simple/ \ |
| 225 | + --extra-index-url https://pypi.org/simple/ |
| 226 | +``` |
| 227 | + |
| 228 | +Interactive authentication is not supported. Use keyring via the subprocess provider or set credentials in the URL or environment. |
| 229 | + |
| 230 | +## Security Model |
| 231 | + |
| 232 | +pip-audit detects *known* vulnerabilities in *direct and transitive* Python dependencies. It does not: |
| 233 | + |
| 234 | +- Perform static code analysis |
| 235 | +- Detect vulnerabilities in native shared libraries linked by Python packages |
| 236 | +- Protect against malicious packages not yet in any advisory database |
| 237 | + |
| 238 | +Treat `pip-audit -r INPUT` as equivalent to `pip install -r INPUT` — it resolves and downloads packages. Only audit inputs from trusted sources. |
| 239 | + |
| 240 | +## Additional Resources |
| 241 | + |
| 242 | +- **`references/ci-integration.md`** — GitHub Actions workflow, pre-commit hook, and baseline automation patterns |
0 commit comments