gaybro8777 / ossaudit

Audit python packages for known vulnerabilities

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Build Status Cov



ossaudit uses Sonatype OSS Index to audit Python packages for known vulnerabilities.

It can check installed packages and/or packages specified in dependency files. The following formats are supported with dparse:

  • PIP requirement files
  • Pipfile
  • Pipfile.lock
  • tox.ini
  • conda.yml



pip install ossaudit


Clone this repository and:

make install-dev

This installs ossaudit with pip. Note that each dependency in requirements/* is pinned with the hash for their respective source tarball. If you don't care about that you could simply:

./ develop


$ ossaudit --help
Usage: ossaudit [OPTIONS]

  -c, --config TEXT    Configuration file.
  -i, --installed      Audit installed packages.
  -f, --file FILENAME  Audit packages in file (can be specified multiple
  --username TEXT      Username for authentication.
  --token TEXT         Token for authentication.
  --column TEXT        Column to show (can be specified multiple times).
                       [default: name, version, title]
  --ignore-id TEXT     Ignore a vulnerability by ID (can be specified multiple
  --help               Show this message and exit.


Appdirs is used to determine storage paths. This means that the location of the configuration file is platform-specific:

  • *nix: ~/.config/ossaudit/config.ini
  • macOS: ~/Library/Preferences/ossaudit/config.ini
  • Windows: C:\Users\<username>\AppData\Local\ossaudit\ossaudit\config.ini

It can be overridden with the --config command-line argument and with the OSSAUDIT_CONFIG environment variable.

Example configuration:

# Optional: OSS Index username.
username = string

# Optional: OSS Index token
token = string

# Optional: comma-separated list of columns to show.
# Default: name, version, title
# Supported: id, name, version, cve, cvss_score, title, description
columns = name, version, title

# Optional: comman-separated list of vulnerability IDs to ignore.
ignore-ids = x,y,z

Authentication is not required. However, requests are rate limited and authenticated requests are less restricted. A free account can be created on OSS Index


Audit python packages for known vulnerabilities

License:BSD 2-Clause "Simplified" License


Language:Python 97.4%Language:Makefile 2.6%