Auditing your python environment

An image of a padlock with chains
Photo by John Salvino on Unsplash


The first one is safety. It is maintained by the pyup team which uses their custom safety database. It comes in two flavors:

  • An open source version that we can freely use. It is updated once a month.
  • A paid version that is updated frequently (more than once a month).


To install the package, type the following command in your terminal:

$ pip install safety
$ poetry add -D safety
- uses: pyupio/safety@v1
# if you subscribed to a paid plan, you can insert your key like the following snippet
# it assumes that you have a secret key called SAFETY_API_KEY and define under
# Settings -> Secrets -> Actions in GitHub admin.
api-key: ${{ secrets.SAFETY_API_KEY }}


To test safety, we will install flask with version 0.5.

$ pip install flask==0.5
# or
$ poetry add flask==0.5
$ safety check
Safety v2.1.1 is scanning for Vulnerabilities...
Scanning dependencies in your environment:
-> /home/kevin/.cache/pypoetry/virtualenvs/orm-L9juRWWT-py3.8/lib/python3.8/site-packages Using non-commercial database
Found and scanned 64 packages
Timestamp 2022-08-17 22:52:00
3 vulnerabilities found
0 vulnerabilities ignored
-> Vulnerability found in flask version 0.5
Vulnerability ID: 38654
Affected spec: <0.12.3
ADVISORY: Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service.
The attack vector is crafted encoded JSON data.
NOTE: this may overlap CVE-2018-1000656.
For more information, please visit
Scan was completed. 3 vulnerabilities were found.
3 vulnerabilities were found in 1 package. For detailed remediation & fix recommendations, upgrade to a commercial license.
$ safety check --full-report
$ safety check --bare
$ safety check -r requirements.txt
$ echo "package-to-check==0.1" | safety check --stdin
$ safety check --output json


The second tool I want to introduce to you is pip-audit. Folks maintain it at Trails of Bit with some Google support. It uses the Pypa Advisory Database via the PyPI JSON API as a source of vulnerability reports.


You can install it using pip or poetry like the following:

$ pip install pip-audit
# or
$ poetry add -D pip-audit
- uses: trailofbits/gh-action-pip-audit@v0.0.4
# if you use a requirements file, you can add the following
inputs: requirements.txt
- repo:
rev: v2.4.3
- id: pip-audit
args: [ "-r", "requirements.txt" ]
# Leave pip-audit to only run locally and not in CI
# does not allow network calls
skip: [ pip-audit ]


We will still consider having the flask package with version 0.5 in our environment. To run pip-audit in our current python environment, we can type:

$ pip-audit
Found 2 known vulnerabilities in 1 package
Name Version ID Fix Versions
----- ------- -------------- ------------
flask 0.5 PYSEC-2019-179 1.0
flask 0.5 PYSEC-2018-66 0.12.3
$ pip-audit --desc
$ pip-audit --fix --dry-run
INFO:pip_audit._cli:Dry run: would have upgraded Flask to 1.0
Found 2 known vulnerabilities in 1 package and fixed 0 vulnerabilities in 0 packages
Name Version ID Fix Versions
----- ------- -------------- ------------
flask 0.5 PYSEC-2019-179 1.0
flask 0.5 PYSEC-2018-66 0.12.3
$ poetry update flask
$ pip-audit -r ./requirements.txt
# this assumes pyproject.toml is in the current directory
$ pip-audit .
$ pip-audit -f json | python -m json.tool

which audit tool to use in your project?

The answer to this question depends on your needs and constraints. Here are some considerations to take into account when making your decision.

  • safety has a company behind it that dedicates its time finding vulnerabilities in python packages ahead of official CVE.
  • To make the best use of safety i.e. have the best up-to-date vulnerability database, you should use a paid plan. You need to be sure you or your company has the budget for that.
  • pip-audit is more open source than safety since the management of the database is transparent for all users.
  • pip-audit provides a hint to fix a found vulnerability, safety doesn’t do that unless you subscribed to a paid plan.
  • pip-audit may be integrated into pip in the future.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Kevin Tewouda

Kevin Tewouda


Déserteur camerounais résidant désormais en France. Passionné de programmation, sport, de cinéma et mangas. J’écris en français et en anglais dû à mes origines.