Skip to content

Commit bf64db8

Browse files
feat(skills): add python-pip-audit skill for dependency vulnerability scanning
1 parent 04ee024 commit bf64db8

2 files changed

Lines changed: 476 additions & 0 deletions

File tree

Lines changed: 242 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,242 @@
1+
---
2+
name: python-pip-audit
3+
description: This skill should be used when the user asks to "audit Python dependencies for vulnerabilities", "scan requirements.txt for CVEs", "set up pip-audit", "fix vulnerable Python packages", or needs guidance on Python dependency security scanning with pip-audit.
4+
---
5+
6+
# Python pip-audit Dependency Security Scanning
7+
8+
pip-audit scans Python environments and requirements files for packages with known vulnerabilities. It queries the Python Packaging Advisory Database via the PyPI JSON API and the OSV database, reporting CVEs, GHSA IDs, and fix versions.
9+
10+
## Installation
11+
12+
Install pip-audit into the project's virtual environment or as a standalone tool:
13+
14+
```bash
15+
# Into active virtual environment
16+
pip install pip-audit
17+
18+
# Isolated global install (preferred for CI)
19+
pipx install pip-audit
20+
21+
# Via conda
22+
conda install -c conda-forge pip-audit
23+
```
24+
25+
pip-audit requires Python 3.10 or newer.
26+
27+
## Core Usage
28+
29+
**Audit the current environment:**
30+
31+
```bash
32+
pip-audit
33+
```
34+
35+
**Audit a requirements file:**
36+
37+
```bash
38+
pip-audit -r requirements.txt
39+
```
40+
41+
**Audit a local Python project (reads `pyproject.toml` or `pylock.*.toml`):**
42+
43+
```bash
44+
pip-audit .
45+
```
46+
47+
**Audit lock files only:**
48+
49+
```bash
50+
pip-audit --locked .
51+
```
52+
53+
**Exclude system packages (useful inside virtual environments):**
54+
55+
```bash
56+
pip-audit -r requirements.txt -l
57+
```
58+
59+
## Vulnerability Services
60+
61+
pip-audit supports two vulnerability data sources:
62+
63+
| Service | Flag | Default |
64+
|---|---|---|
65+
| PyPI JSON API | `-s pypi` | Yes |
66+
| OSV (Open Source Vulnerabilities) | `-s osv` | No |
67+
68+
Use OSV for broader advisory coverage across multiple ecosystems:
69+
70+
```bash
71+
pip-audit -r requirements.txt -s osv
72+
```
73+
74+
Switch the OSV API endpoint (e.g., for self-hosted instances):
75+
76+
```bash
77+
pip-audit -r requirements.txt -s osv --osv-url https://api.osv.dev/v1/query
78+
```
79+
80+
## Output Formats
81+
82+
```bash
83+
pip-audit -f columns # Default columnar output
84+
pip-audit -f json # Machine-readable JSON
85+
pip-audit -f markdown # Markdown table
86+
pip-audit -f cyclonedx-json # CycloneDX SBOM (JSON)
87+
pip-audit -f cyclonedx-xml # CycloneDX SBOM (XML)
88+
```
89+
90+
Save output to a file:
91+
92+
```bash
93+
pip-audit -f json -o audit-report.json
94+
```
95+
96+
Include vulnerability descriptions and alias IDs (CVE/GHSA) in output:
97+
98+
```bash
99+
pip-audit --desc --aliases
100+
```
101+
102+
For JSON format, descriptions and aliases are included automatically.
103+
104+
## Automatic Fix
105+
106+
Upgrade vulnerable packages automatically:
107+
108+
```bash
109+
pip-audit --fix
110+
```
111+
112+
Preview what would be upgraded without applying changes:
113+
114+
```bash
115+
pip-audit --fix --dry-run
116+
```
117+
118+
Dry run without the `--fix` flag reports how many dependencies *would* be audited:
119+
120+
```bash
121+
pip-audit --dry-run
122+
```
123+
124+
## Ignoring Specific Vulnerabilities
125+
126+
Suppress known false positives or accepted risks using the vulnerability ID, CVE, or GHSA alias:
127+
128+
```bash
129+
# Ignore by PYSEC ID
130+
pip-audit --ignore-vuln PYSEC-2021-666
131+
132+
# Ignore by CVE
133+
pip-audit --ignore-vuln CVE-2019-1010083
134+
135+
# Ignore by GHSA
136+
pip-audit --ignore-vuln GHSA-w596-4wvx-j9j6
137+
138+
# Ignore multiple
139+
pip-audit --ignore-vuln CVE-XXX-YYYY --ignore-vuln GHSA-abc-def-ghij
140+
```
141+
142+
Document every suppressed ID in a comment or issue tracker entry explaining why it is not applicable.
143+
144+
## Performance: Skipping Dependency Resolution
145+
146+
pip-audit performs its own dependency resolution by default, which can be slow. Skip resolution when inputs are already fully pinned:
147+
148+
**Pinned without hashes (faster):**
149+
150+
```bash
151+
pip-audit --no-deps -r requirements.txt
152+
```
153+
154+
**Pinned with hashes (fastest, most secure):**
155+
156+
```bash
157+
pip-audit --require-hashes -r requirements.txt
158+
```
159+
160+
`--require-hashes` is equivalent to pip's hash-checking mode. It fails if any package is missing a hash, providing additional supply-chain integrity.
161+
162+
**Audit a pre-installed environment directly (no resolution needed):**
163+
164+
```bash
165+
pip-audit
166+
pip-audit --local # only local packages, skip globally installed
167+
```
168+
169+
## Exit Codes
170+
171+
| Code | Meaning |
172+
|---|---|
173+
| `0` | No known vulnerabilities found |
174+
| `1` | One or more vulnerabilities found |
175+
176+
Exit codes cannot be suppressed internally. Use shell idioms when needed:
177+
178+
```bash
179+
# Continue even if vulnerabilities found
180+
pip-audit || true
181+
182+
# Capture for custom handling
183+
pip-audit
184+
exitcode="${?}"
185+
```
186+
187+
## Environment Variables
188+
189+
Configure pip-audit without flags for CI pipelines:
190+
191+
| Variable | Equivalent flag | Example value |
192+
|---|---|---|
193+
| `PIP_AUDIT_FORMAT` | `--format` | json |
194+
| `PIP_AUDIT_VULNERABILITY_SERVICE` | `--vulnerability-service` | osv |
195+
| `PIP_AUDIT_DESC` | `--desc` | off |
196+
| `PIP_AUDIT_PROGRESS_SPINNER` | `--progress-spinner` | off |
197+
| `PIP_AUDIT_OUTPUT` | `--output` | audit-report.json |
198+
199+
## Reporting Only Fixable Vulnerabilities
200+
201+
Filter to only fail when vulnerabilities have known fix versions using `jq`:
202+
203+
```bash
204+
test -z "$(pip-audit -r requirements.txt --format=json 2>/dev/null \
205+
| jq '.dependencies[].vulns[].fix_versions[]')"
206+
```
207+
208+
This exits non-zero only when at least one fixable vulnerability exists.
209+
210+
## pipenv Projects
211+
212+
Convert `Pipfile.lock` to a requirements format and pipe directly:
213+
214+
```bash
215+
pipenv run pip-audit -r <(pipenv requirements)
216+
```
217+
218+
## Private Package Indices
219+
220+
Use `--index-url` and `--extra-index-url` to point at internal registries:
221+
222+
```bash
223+
pip-audit -r requirements.txt \
224+
--index-url https://pypi.example.com/simple/ \
225+
--extra-index-url https://pypi.org/simple/
226+
```
227+
228+
Interactive authentication is not supported. Use keyring via the subprocess provider or set credentials in the URL or environment.
229+
230+
## Security Model
231+
232+
pip-audit detects *known* vulnerabilities in *direct and transitive* Python dependencies. It does not:
233+
234+
- Perform static code analysis
235+
- Detect vulnerabilities in native shared libraries linked by Python packages
236+
- Protect against malicious packages not yet in any advisory database
237+
238+
Treat `pip-audit -r INPUT` as equivalent to `pip install -r INPUT` — it resolves and downloads packages. Only audit inputs from trusted sources.
239+
240+
## Additional Resources
241+
242+
- **`references/ci-integration.md`** — GitHub Actions workflow, pre-commit hook, and baseline automation patterns

0 commit comments

Comments
 (0)