How do I ignore a specific vulnerability in pip-audit?

Use the --ignore-vuln flag with the vulnerability ID (e.g., CVE-XXX-YYYY or GHSA-xxx), which can be passed multiple times. This is documented in the troubleshooting section for handling noisy reports.

pip-audit vs safety: which is better for Python security?

pip-audit is officially backed by PyPA and supports automatic fixes and multiple vulnerability sources, while safety may have different coverage. pip-audit integrates better with pip workflows, but safety might be preferred for specific commercial feeds. Choose based on your need for automation and ecosystem alignment.

How to use pip-audit with pipenv projects?

Convert Pipfile.lock to requirements.txt using pipenv requirements, then run pip-audit with -r. The README provides a tip: pipenv run pip-audit -r <(pipenv requirements) for a one-liner.

Can pip-audit scan Docker images for Python vulnerabilities?

No, pip-audit is designed for Python environments and dependency files, not container images. You would need to extract the Python dependencies from the Docker image first, such as by running pip freeze inside the container.

How to suppress pip-audit's exit code in a shell script?

Use shell idioms like pip-audit || true to ignore failures, or capture the exit code with ${?}. The README explicitly states it doesn't support internal suppression and recommends these methods.

Does pip-audit work with poetry lock files?

Not directly; pip-audit currently supports pyproject.toml and pylock.*.toml for local projects with --locked, but for poetry, you might need to convert the lock file to a requirements-style format first, similar to pipenv.

Open-Awesome

pip-audit

Q: Can pip-audit scan Docker images for Python vulnerabilities?

No, pip-audit is designed for Python environments and dependency files, not container images. You would need to extract the Python dependencies from the Docker image first, such as by running pip freeze inside the container.

Q: How to suppress pip-audit's exit code in a shell script?

Use shell idioms like pip-audit || true to ignore failures, or capture the exit code with ${?}. The README explicitly states it doesn't support internal suppression and recommends these methods.

Q: Does pip-audit work with poetry lock files?

Not directly; pip-audit currently supports pyproject.toml and pylock.*.toml for local projects with --locked, but for poetry, you might need to convert the lock file to a requirements-style format first, similar to pipenv.

Apache-2.0Pythonv2.10.0

Audits Python environments, requirements files, and dependency trees for known security vulnerabilities and can automatically fix them.

Visit Website GitHub

1.3k stars93 forks0 contributors

What is pip-audit?

pip-audit is a command-line tool that scans Python environments and dependency files for packages with known security vulnerabilities. It checks against sources like the Python Packaging Advisory Database and OSV to identify risks and can automatically upgrade vulnerable packages to secure versions.

Target Audience

Python developers, DevOps engineers, and security teams who need to ensure their Python projects are free from known vulnerabilities in dependencies, especially in CI/CD pipelines or local development workflows.

Value Proposition

Developers choose pip-audit for its official support from the Python Packaging Authority (PyPA), seamless integration with existing pip workflows, ability to automatically fix issues, and support for multiple vulnerability feeds and output formats including SBOMs.

Overview

Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them

Use Cases

Best For

Auditing Python virtual environments for known security vulnerabilities
Scanning requirements.txt or pyproject.toml files in CI/CD pipelines
Automatically upgrading vulnerable dependencies in Python projects
Generating Software Bill of Materials (SBOM) in CycloneDX format
Integrating security checks into pre-commit hooks
Checking lock files (like pipenv or poetry) for vulnerabilities

Not Ideal For

Projects using private PyPI indices that require interactive authentication
Legacy systems stuck on Python versions older than 3.10
Teams needing real-time vulnerability scans without dependency resolution overhead
Developers seeking code-level security analysis beyond dependency checks

Pros & Cons

Pros

Official PyPA Backing

Maintained by the Python Packaging Authority with support from Google and Trail of Bits, ensuring reliability and ecosystem alignment, as noted in the README.

Automatic Vulnerability Fixing

The --fix flag can automatically upgrade vulnerable dependencies to secure versions, reducing manual remediation work, demonstrated in the examples.

Flexible Output and Integration

Supports multiple output formats like JSON and CycloneDX SBOMs, and integrates with GitHub Actions and pre-commit hooks, as highlighted in the features.

Multiple Vulnerability Sources

Audits against PyPI's advisory database and the OSV API, providing comprehensive coverage, as specified in the usage options.

Cons

Slow Dependency Resolution

Audits can take as long as a pip install due to full dependency resolution, which is acknowledged in the troubleshooting section as a common issue.

Limited Authentication Support

Does not support interactive authentication for third-party indices, making it difficult to use with some private registries, as admitted in the troubleshooting.

Potential False Positives

Vulnerability reports may include irrelevant or spam entries, requiring manual filtering with --ignore-vuln, as warned in the troubleshooting examples.

Frequently Asked Questions

Related Projects

Gitleaks

Find secrets with Gitleaks 🔑

Stars26,391

Forks2,010

Last commit1 month ago

PHP Parser

A PHP parser written in PHP

Stars17,433

Forks1,120

Last commit2 months ago

TypeScript ESLint

:sparkles: Monorepo for all the tooling which enables ESLint to support TypeScript

Static Type Checker for Python

Stars15,399

Forks1,781

Last commit10 days ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub