Safety is available as an online service called Safety CI and an open source command line tool. Use it to check your dependencies for known security vulnerabilities.
Safety CI is a part of pyup.io. Check out the installation documentation for the online service. If you just want to run Safety CI without getting dependency updates, you might also want to take a look at usage examples.
safety with pip
pip install safety
To check your currently selected virtual environment for dependencies with known security vulnerabilities, run:
You should get a report similar to this:
Now, let's install something insecure:
pip install insecure-package
Don't worry, it's just a test package.
safety check again:
Read requirement files
Just like pip, Safety is able to read local requirement files:
safety check -r requirements.txt
Read from stdin
Safety is also able to read from stdin with the
--stdin flag set.
To check a local requirements file, run:
cat requirements.txt | safety check --stdin
or the output of
pip freeze | safety check --stdin
or to check a single package:
echo "insecure-package==0.1" | safety check --stdin
For more examples, take a look at the options section.
Using Safety with a CI service
Safety works great in your CI pipeline. It returns a non-zero exit status if it finds a vulnerability.
Run it before or after your tests. If Safety finds something, your tests will fail.
install: - pip install safety script: - safety check
Using Safety in production
Safety is free and open source (MIT Licensed). The underlying open vulnerability database is updated once per month.
To get access to all vulnerabilities as soon as they are added, you need an API key that comes with a paid pyup.io account.
This document is still a work in progress. Have additional questions? Contact email@example.com.