March 1, 2023
Today, we are incredibly excited to announce that Socket now supports Python!
Python is one of the most popular programming languages in the world, with millions of developers using it for everything from data science to web development. However, like all open source software, Python packages are vulnerable to supply chain attacks.
Over the past year, we've seen a sharp rise in supply chain attacks targeting PyPI. Attackers have taken notice of the opportunity to attack organizations through PyPI dependencies. That's why we've been working incredibly hard to ensure Socket offers best-in-class protection for teams that build with Python.
To get started with Socket for Python, you can install the Socket GitHub App. It takes less than five minutes to add Socket protection to all of your Python projects.
Socket has robust support for the most popular ways to declare Python dependencies, including:
requirements files (e.g.
pyproject.toml (standardized by PEP 518, PEP 517, PEP 621 and PEP 660)
With the addition of Python to our list of supported languages and ecosystems, you can now easily audit, manage, and secure your Python packages with Socket. You can see a demo of a few Python dependency configurations supported by Socket in our demo repo:
SocketDemo/avatar_diffusion (and while you're at it, you'll get to try out Stable Diffusion generative AI!)
Developers and security teams always tell us how much they love Socket's proactive security, easy installation process, and comprehensive open source protection. And with the addition of Python support, we're even better equipped to help developers and security teams work together to securely use and maintain OSS within their organizations.
And once you've installed Socket, you can rest easy knowing that we are automatically monitoring your Python packages for any potential security risks, preventing compromised or hijacked packages from infiltrating your supply chain by monitoring changes to dependencies in real-time.
At Socket, we believe in proactively detecting and preventing supply chain attacks before they cause damage. With the addition of Python support, we hope to offer this level of protection to even more organizations and teams.
For this initial Python release, we support detecting the most common supply chain attack - typosquatting. We plan to quickly expand the list of supported Python issues to encompass the full 70+ issues that we support for npm in the coming weeks and months.
Most "vulnerability scanning" tools merely look up the packages you're using to see if any vulnerabilities have been reported to public CVE databases, an approach that is noisy and riddled with false positives.
Socket takes an entirely new approach. Socket uses "deep package inspection" to peel back the layers of a dependency and characterize its actual behavior. This allows us to detect and block likely supply chain attacks before they strike, mitigating the worst consequences.
With Socket, you don't have to worry about alert fatigue or wasting time sifting through piles of meaningless alerts. By default, Socket only alerts you on the most critical security issues – potential supply chain attacks, known malware, typosquats, and other similarly severe issues.
This means you can focus on what matters most – building great software – while Socket takes care of the security side of things.
Developers can use the free socket.dev package search tool to quickly evaluate the security and health of any PyPI package.
When you start your package search on socket.dev, you will get proactive information when you're about to use a malicious or risky package. Socket detects 70+ red flags in open source code, including malware, typo-squatting, hidden code, misleading packages, excessive permissions (filesystem, network, environment variables), and more.
Here is an example that illustrates the power of using socket.dev instead of default search tools at npmjs.com or pypi.org. Look at the wealth of information not available in the default search tools:
We're working on providing the same extensive information (including Socket security data) for PyPI packages as we do for npm packages. In the meantime, we've taken the first step by supporting PyPI packages on the Socket website. For example, see the pages for
But Socket isn't just about preventing security risks going forward. We also have offer a Project Health Report, which gives you visibility into the open source security issues present in your repositories today. This means you can retroactively remediate existing issues and ensure that all of your open source dependencies are as secure as possible.
At Socket, we're committed to making open source software safe for everyone. That's why we're constantly expanding our capabilities and adding support for new ecosystems. With today's release of Python support, we're taking another step towards that goal, and we're excited to see what our customers will be able to achieve with this new feature.
Finally, there are still a few places where we hope to improve our Python support for certain lesser-users setups:
pip JSON lockfile support (
pipfile.lock) – don't worry
pip-compile output works!
hatch package manager specific files (
setup-tools specific files (
If you use one of the above in your setup and want early access, please schedule a demo and our team will make sure Socket works with your exact Python setup.
If you want to try out Socket with Python support, you can install the GitHub App in less than 2 minutes.
We're here to help you keep your open source software secure, no matter what language or package manager you're using. Stay tuned for more language support soon, and vote for the language you would like to see next!
If you have any questions or feedback, please don't hesitate to reach out to our dedicated support and engineering team. If you would like to chat with someone on our team, you can schedule a demo with a technical expert.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
International law enforcement organizations have disrupted LockBit, the world’s largest ransomeware gang, seized their operations and infrastructure, and indicted some of the perpetrators.
Socket discovered two malicious Python packages, enchantv and vibrant, imitating popular packages and targeting victims via a base64 encoded payload in their setup files.