Safety: Comprehensive Python Dependency Vulnerability Scanner

Safety: Comprehensive Python Dependency Vulnerability Scanner

In the realm of Python development, ensuring the security of your dependencies is paramount. With thousands of packages available on PyPI, it’s challenging to keep track of vulnerabilities and malicious code. Safety CLI emerges as a comprehensive solution, offering advanced scanning capabilities for Python dependencies, including vulnerability detection, malicious package identification, and license compliance checking.

What is Safety CLI?

Safety CLI is a powerful command-line tool designed to enhance software supply chain security for Python applications. Developed by pyup.io, Safety leverages the most comprehensive vulnerability database available, detecting not only known vulnerabilities but also potentially malicious packages that could compromise your application.

Unlike basic scanners, Safety provides actionable remediation guidance and can automatically update vulnerable dependencies based on your project’s security policies.

When to Use Safety

Safety should be integrated at multiple points in your development lifecycle:

• Development Phase: Regular scans during coding to catch issues early
• CI/CD Pipelines: Automated scanning before builds and deployments
• Dependency Updates: Verification after installing or updating packages
• Security Audits: Comprehensive assessments for compliance requirements
• Production Monitoring: Ongoing monitoring of deployed applications
• Open Source Projects: Ensuring community-contributed code is secure

How to Use Safety

Installation and Setup

Safety requires Python 3.9 or newer. Install it via pip:

pip install safety

For the first run, Safety will prompt you to create an account or log in. You can also authenticate manually:

safety auth

Basic Scanning

Scanning Current Directory

The simplest way to scan your project:

safety scan

This command analyzes all Python files in the current directory, identifies dependencies, and checks them against Safety’s comprehensive database.

Scanning Specific Files

Target specific requirements or dependency files:

safety scan --file requirements.txt safety scan --file pyproject.toml safety scan --file Pipfile.lock

System-Wide Scanning

For comprehensive security assessments:

safety system-scan

This scans all installed packages across your entire development environment.

Advanced Usage

Applying Automatic Fixes

Safety can automatically update vulnerable dependencies:

safety scan --apply-fixes

This will upgrade packages to secure versions based on your policy settings.

License Scanning

Check for license compliance issues:

safety scan --check-licenses

Output Formats

Safety supports multiple output formats for different use cases:

# Default terminal output safety scan # JSON for automation safety scan --output json # HTML reports safety scan --output html # SBOM (Software Bill of Materials) safety scan --output cyclonedx

Policy-Based Scanning

Configure scanning policies for your organization:

safety scan --policy-file .safety-policy.yml

Example policy file:

version: "1.0" ignore: - "PYSEC-1234-5678" # Known false positive license: allowed: - "MIT" - "Apache-2.0" denied: - "GPL-3.0"

Examples

Example 1: Basic Project Scan

$ safety scan Scanning dependencies... Found 1 vulnerable package Package: requests Version: 2.25.0 Vulnerability: CVE-2021-33503 Severity: High Remediation: Upgrade to version 2.25.1 or later

Example 2: License Compliance Check

$ safety scan --check-licenses Scanning licenses... Found 1 license violation Package: some-package License: GPL-3.0 Status: Denied Reason: GPL-3.0 is not in allowed licenses list

Example 3: CI/CD Integration

GitHub Actions workflow:

name: Security Scan on: [push, pull_request] jobs: security: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: "3.11" - name: Install Safety run: pip install safety - name: Run Safety Scan run: safety scan - name: Run License Check run: safety scan --check-licenses

Example 4: System-Wide Scan with Fixes

$ safety system-scan --apply-fixes --dry-run Scanning system packages... Found 3 vulnerable packages Would upgrade: - requests: 2.25.0 -> 2.28.1 - urllib3: 1.26.0 -> 1.26.12 - cryptography: 3.4.0 -> 3.4.8 Run without --dry-run to apply fixes

What Safety Helps Mitigate

Safety addresses multiple security and compliance concerns:

1. Known Vulnerabilities

• CVEs and Security Advisories: Tracks all reported vulnerabilities in Python packages
• Zero-Day Vulnerabilities: Monitors for newly discovered issues
• Supply Chain Attacks: Detects compromised packages in the ecosystem

2. Malicious Packages

• Typosquatting Attacks: Identifies packages with similar names to legitimate ones
• Dependency Confusion: Prevents attacks where malicious packages mimic internal names
• Malware Injection: Detects packages containing malicious code

3. License Compliance

• Open Source License Violations: Ensures compliance with organizational license policies
• Copyleft Restrictions: Identifies GPL and other restrictive licenses
• Commercial Use Restrictions: Flags packages unsuitable for commercial applications

4. Outdated Dependencies

• End-of-Life Packages: Warns about packages no longer receiving security updates
• Deprecated Versions: Identifies versions with known issues
• Security Patches: Ensures latest security fixes are applied

5. Supply Chain Security

• Third-Party Risk: Comprehensive assessment of all dependencies
• Transitive Dependencies: Scans nested dependencies for vulnerabilities
• Package Integrity: Verifies package authenticity and integrity

Integration with Government Cybersecurity Frameworks

Safety CLI aligns closely with the Australian Government’s Cybersecurity Assessment Framework (CAF), particularly in the areas of vulnerability management and supply chain security.

CAF Strategy 1: Patch Applications

Safety’s automatic fixing capabilities directly support rapid patching of vulnerable applications and dependencies.

CAF Strategy 2: Patch Operating Systems

While focused on applications, Safety contributes to overall system security by ensuring Python components are patched.

CAF Strategy 3: Multi-Factor Authentication

Supports secure authentication for accessing Safety’s services and databases.

CAF Strategy 4: Daily Backups

Ensures that backed-up systems contain only secure, audited code.

CAF Essential Eight Alignment

Safety supports multiple Essential Eight strategies:

• E1: Application Whitelisting: Ensures only approved, secure packages are used
• E2: Patching Applications: Direct support for automated vulnerability patching
• E3: Restrict Administrative Privileges: Prevents privilege escalation through vulnerable code
• E4: Multi-Factor Authentication: Secure access to Safety services
• E8: Daily Backups: Guarantees backups are of secure systems

Additional CAF Benefits

• Risk Management: Provides quantitative vulnerability assessments
• Compliance Reporting: Generates reports for regulatory compliance
• Incident Response: Rapid identification and remediation of security issues
• Continuous Monitoring: Ongoing security posture assessment

Best Practices

1. Regular Scanning Schedule

• Daily: Automated scans in CI/CD pipelines
• Weekly: Manual reviews of scan results
• Monthly: Comprehensive system-wide assessments
• Pre-Release: Mandatory scans before deployments

2. Policy Management

• Define clear license and vulnerability policies
• Regularly update policies based on organizational changes
• Document exceptions and rationales

3. Integration Strategies

• Combine with other security tools (Bandit, Semgrep, pip-audit)
• Integrate with IDEs and development workflows
• Set up automated alerts for critical vulnerabilities

4. Environment-Specific Configurations

• Different policies for development, staging, and production
• Environment-specific allowed licenses
• Customized severity thresholds

5. Reporting and Compliance

• Generate regular security reports
• Maintain audit trails of security assessments
• Use SBOM outputs for compliance documentation

Troubleshooting

Common Issues and Solutions

Authentication Problems:

safety auth login # Follow prompts to authenticate

False Positives:

# In .safety-policy.yml ignore: - "VULN-ID"

License Conflicts:

# Update policy file license: allowed: - "MIT" - "BSD-3-Clause"

Performance Issues:

• Use --cache to speed up repeated scans
• Limit scan scope with --target parameter
• Run scans during off-peak hours

Advanced Features

Custom Rules and Policies

Create organization-specific security rules:

version: "1.0" custom_rules: - name: "No-dev-dependencies-in-prod" condition: "environment == 'production' and package in dev_dependencies" action: "block"

Integration with SIEM Systems

Export scan results to security information and event management systems:

safety scan --output json --output-file scan_results.json # Send to SIEM via API

Automated Remediation Workflows

Combine with other tools for complete automation:

# Scan and fix in one command safety scan --apply-fixes --confirm # Generate remediation report safety scan --output html --report-file security_report.html

Conclusion

Safety CLI represents a significant advancement in Python dependency security. Its comprehensive vulnerability database, malicious package detection, and license compliance features make it an essential tool for organizations serious about software supply chain security.

By integrating Safety into your development workflow, you not only protect against known vulnerabilities but also establish robust processes for ongoing security monitoring and compliance. When combined with frameworks like the Australian Government’s CAF, Safety helps organizations achieve and maintain a strong cybersecurity posture.

Start using Safety today to transform your approach to Python dependency security and build more resilient applications.