Poetry plugin for checking security vulnerabilities in dependencies based on safety.
$ poetry audit
Scanning 19 packages...
• ansible-runner installed 1.1.2 affected <1.3.1 CVE PVE-2021-36995
• ansible-tower-cli installed 3.1.8 affected <3.2.0 CVE CVE-2020-1733
• jinja2 installed 2.0 affected <2.11.3 CVE CVE-2020-28493
3 vulnerabilities found
The easiest way to install the audit plugin is via the self add command of Poetry.
poetry self add poetry-audit-plugin
If you used pipx to install Poetry you can add the plugin via the pipx inject command.
pipx inject poetry poetry-audit-plugin
Otherwise, if you used pip to install Poetry you can add the plugin packages via the pip install command.
pip install poetry-audit-plugin
--json: Export the result in JSON format.
--ignore-code: Ignore some vulnerabilities IDs. Receive a list of IDs. For example:
poetry audit --ignore-code=CVE-2022-42969,CVE-2020-10684
--ignore-package: Ignore some packages. Receive a list of packages. For example:poetry audit --json --ignore-package=py,ansible-tower-cli
--proxy-protocol, --proxy-host, --proxy-port: Proxy to access Safety DB. For example:poetry audit --proxy-protocol=http --proxy-host=localhost --proxy-port=3128
--cache-sec: How long Safety DB can be cached locally. For example:poetry audit --cache-sec=60
poetry audit will exit with a code indicating its status.
0: Vulnerabilities were not found.1: One or more vulnerabilities were found.You can read this document to setup an environment to develop poetry-audit-plugin.
First step is to install Poetry. Please read official document and install Poetry in your machine.
Then, you can install dependencies of poetry-audit-plugin with the following command.
poetry install
Once you've done it, you can start developing poetry-audit-plugin. You can use test assets for the testing.
cd tests/assets/no_vulnerabilities
poetry shell
poetry audit
Please lint, format, and test your changes before creating pull request to keep the quality.
./scripts/lint.sh
./scripts/format.sh
./scripts/test.sh
Help is always appreciated. Please feel free to create issue and pull request!
This project is licensed under the terms of the MIT license.
FAQs
Poetry plugin for checking security vulnerabilities in dependencies
We found that poetry-audit-plugin demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.