pip-audit: Scanning Python Dependencies for Known Vulnerabilities

pip-audit: Scanning Python Dependencies for Known Vulnerabilities

In today’s software development landscape, securing your application’s dependencies is crucial. Python developers often rely on numerous third-party packages, which can introduce security vulnerabilities. pip-audit is a powerful tool designed to scan Python environments for packages with known vulnerabilities, helping developers identify and mitigate potential security risks.

What is pip-audit?

pip-audit is a command-line tool that audits Python environments for packages with known vulnerabilities. It leverages vulnerability databases like the Python Packaging Advisory Database (PyPI) and the Open Source Vulnerability (OSV) database to identify packages that have reported security issues.

The tool was created by the Python Packaging Authority and is maintained as part of the PyPA ecosystem, ensuring it stays current with the latest security advisories.

When to Use pip-audit

pip-audit should be integrated into your development workflow at several key points:

• During Development: Regularly scan your local environment to catch vulnerabilities early
• Before Deployment: Include in your CI/CD pipeline to prevent deploying vulnerable code
• Dependency Updates: Run after updating packages to verify no new vulnerabilities were introduced
• Code Reviews: Use as part of security-focused code review processes
• Compliance Checks: For organizations requiring regular security assessments

How to Use pip-audit

Installation

pip-audit requires Python 3.9 or newer. Install it using pip:

python -m pip install pip-audit

For CI/CD environments, you can also use the official GitHub Action:

- uses: pypa/gh-action-pip-audit@v1.0.0 with: inputs: requirements.txt

Basic Usage

Scanning Your Environment

To scan all installed packages in your current Python environment:

pip-audit

This will check all packages in your environment against known vulnerability databases.

Scanning Requirements Files

For project-specific audits, scan requirements files:

pip-audit -r requirements.txt

You can specify multiple requirements files:

pip-audit -r requirements.txt -r requirements-dev.txt

Scanning Local Projects

To audit a local Python project:

pip-audit /path/to/your/project

Or from within the project directory:

pip-audit .

Scanning Lock Files

For more precise audits, use lock files:

pip-audit --locked .

This ensures you’re auditing the exact versions specified in your lock files.

Advanced Usage

Output Formats

pip-audit supports multiple output formats:

# Default columnar format pip-audit # JSON output for automation pip-audit -f json # Markdown format for documentation pip-audit -f markdown # CycloneDX SBOM format pip-audit -f cyclonedx-json

Including Descriptions and Aliases

Get more detailed information about vulnerabilities:

# Include vulnerability descriptions pip-audit --desc # Include CVE/GHSA aliases pip-audit --aliases

Filtering Results

Focus on specific issues or exclude certain vulnerabilities:

# Ignore specific vulnerabilities pip-audit --ignore-vuln PYSEC-2019-179 # Scan only local packages (exclude system packages) pip-audit --local

Automatic Fixes

pip-audit can automatically upgrade vulnerable packages:

pip-audit --fix

This will attempt to upgrade packages to secure versions. Use --dry-run to preview changes:

pip-audit --fix --dry-run

Examples

Example 1: Basic Environment Scan

$ pip-audit No known vulnerabilities found

Example 2: Scanning with Vulnerabilities Present

$ pip-audit Found 2 known vulnerabilities in 1 package Name Version ID Fix Versions ---- ------- -------------- ------------ Flask 0.5 PYSEC-2019-179 1.0 Flask 0.5 PYSEC-2018-66 0.12.3

Example 3: JSON Output for CI/CD

$ pip-audit -f json | jq . [ { "name": "flask", "version": "0.5", "vulns": [ { "id": "PYSEC-2019-179", "fix_versions": ["1.0"], "aliases": ["CVE-2019-1010083", "GHSA-5wv5-4vpf-pj6m"], "description": "The Pallets Project Flask before 1.0 is affected by unexpected memory usage..." } ] } ]

Example 4: CI/CD Integration

Here’s how to integrate pip-audit into a GitHub Actions workflow:

name: Security Audit on: [push, pull_request] jobs: audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.11" - name: Install dependencies run: | python -m pip install --upgrade pip pip install -r requirements.txt - name: Run pip-audit run: pip-audit

What pip-audit Helps Mitigate

pip-audit helps protect against several types of security threats:

1. Known Vulnerabilities in Dependencies

• SQL Injection: Vulnerable versions of ORM libraries
• Remote Code Execution (RCE): Flaws allowing arbitrary code execution
• Cross-Site Scripting (XSS): Web framework vulnerabilities
• Denial of Service (DoS): Packages causing resource exhaustion

2. Supply Chain Attacks

• Dependency Confusion: Malicious packages with similar names
• Typosquatting: Packages with intentional typos to trick developers
• Malicious Package Injections: Compromised legitimate packages

3. Outdated Dependencies

• End-of-Life Packages: Dependencies no longer receiving security updates
• Unpatched Vulnerabilities: Known issues without available fixes

4. Compliance Requirements

• Regulatory Compliance: Meeting security standards for industries like finance and healthcare
• Audit Trails: Maintaining records of security assessments

Integration with Government Cybersecurity Frameworks

The Australian Government’s Cybersecurity Assessment Framework (CAF) emphasizes the importance of vulnerability management in protecting critical systems. pip-audit aligns with several CAF strategies:

CAF Strategy 1: Patch Applications

pip-audit’s automatic fixing capabilities help organizations quickly address known vulnerabilities, supporting rapid patching of applications.

CAF Strategy 2: Patch Operating Systems

While focused on applications, pip-audit contributes to overall system hardening by ensuring Python-based components are secure.

CAF Strategy 3: Multi-Factor Authentication

Not directly applicable, but contributes to overall security posture.

CAF Strategy 4: Daily Backups

Ensures backed-up systems don’t contain vulnerable code.

CAF Strategy 5: Restrict Administrative Privileges

Helps prevent privilege escalation through vulnerable dependencies.

CAF Essential Eight

pip-audit’s scanning capabilities support:

• E1: Application Whitelisting: Ensures only secure, audited applications run
• E2: Patching Applications: Direct support for vulnerability patching
• E8: Daily Backups: Ensures backups are of secure systems

Best Practices

1. Regular Scanning

• Integrate into CI/CD pipelines
• Run weekly scans for long-running projects
• Scan before major releases

2. Handle False Positives

• Use --ignore-vuln for known false positives
• Document ignored vulnerabilities with rationale
• Regularly review ignored vulnerabilities

3. Combine with Other Tools

• Use alongside Bandit for code-level security
• Combine with Safety for additional vulnerability sources
• Integrate with Semgrep for comprehensive security testing

4. Environment-Specific Scanning

• Scan different environments (dev, staging, prod)
• Use --local for virtual environments
• Consider system-wide scans for shared environments

5. Automation and Monitoring

• Set up alerts for new vulnerabilities
• Automate fix application where possible
• Monitor vulnerability trends over time

Troubleshooting

Common Issues

Permission Errors: Ensure you have write permissions for package upgrades.

Network Issues: pip-audit requires internet access to fetch vulnerability data. Use cached data when offline.

Large Environments: For large environments, use --progress-spinner off to reduce output noise.

Dependency Resolution: If dependency resolution fails, use --no-deps with pinned requirements.

Conclusion

pip-audit is an essential tool for Python developers concerned about security. By regularly scanning dependencies for known vulnerabilities, you can significantly reduce your application’s attack surface and protect against supply chain attacks.

Remember, pip-audit is most effective when integrated into your development workflow early and used consistently. Combined with other security tools and practices, it forms a crucial part of a comprehensive security strategy that aligns with frameworks like the Australian Government’s CAF.

Start using pip-audit today to secure your Python projects and stay ahead of emerging threats.