Safety CI is a part of pyup.io. Check out the installation documentation for the online service. If you just want to run Safety CI without getting dependency updates, you might also want to take a look at usage examples.
safety with pip
pip install safety
To check your currently selected virtual environment for dependencies with known security vulnerabilities, run:
You should get a report similar to this:
Now, let's install something insecure:
pip install insecure-package
Don't worry, it's just a test package.
safety check again:
Read requirement files
Just like pip, Safety is able to read local requirement files:
safety check -r requirements.txt
Read from stdin
Safety is also able to read from stdin with the
--stdin flag set.
To check a local requirements file, run:
cat requirements.txt | safety check --stdin
or the output of
pip freeze | safety check --stdin
or to check a single package:
echo "insecure-package==0.1" | safety check --stdin
For more examples, take a look at the options section.
Using Safety with a CI service
Safety works great in your CI pipeline. It returns a non-zero exit status if it finds a vulnerability.
Run it before or after your tests. If Safety finds something, your tests will fail.
install: - pip install safety script: - safety check
Using Safety in production
Safety is free and open source (MIT Licensed). The underlying open vulnerability database is updated once per month.
This document is still a work in progress. Have additional questions? Contact firstname.lastname@example.org.