SC003: NoDependencyVulnerabilities
Overview
| Property | Value |
|---|---|
| ID | SC003 |
| Name | NoDependencyVulnerabilities |
| Group | security |
| Severity | WARNING |
Description
Uses pip-audit to scan project dependencies for known security vulnerabilities from the Python Packaging Advisory Database and OSV.
Vulnerable dependencies can:
- Expose your application to known exploits
- Create compliance issues
- Put users at risk
What it checks
The check runs pip-audit --format json and parses the results to identify:
- Packages with known CVEs (Common Vulnerabilities and Exposures)
- Available fix versions
- Vulnerability IDs for further research
Result states
- PASSED: No vulnerabilities found in dependencies
- FAILED: One or more vulnerable dependencies detected
- SKIPPED: pip-audit is not installed
How to fix
Install pip-audit
First, ensure pip-audit is available:
pip install pip-audit
# or
uv add --dev pip-auditRun pip-audit manually
To see detailed vulnerability information:
pip-auditUpgrade vulnerable packages
# Upgrade a specific package
pip install --upgrade requests
# Or with uv
uv add requests@latestUse pip-audit to fix automatically
pip-audit --fixPin to safe versions
Update your pyproject.toml to require fixed versions:
[project]
dependencies = [
"requests>=2.31.0", # Fixed version
]Handling false positives
If a vulnerability doesn’t apply to your use case, you can suppress it:
pip-audit --ignore-vuln PYSEC-2021-123Or in CI:
- name: Security audit
run: pip-audit --ignore-vuln PYSEC-2021-123Why WARNING severity?
This check is a WARNING because:
- Not all vulnerabilities may be exploitable in your context
- Fixes may not always be immediately available
- Dependencies may have constraints preventing upgrades
However, all flagged vulnerabilities should be reviewed and addressed when possible.
Configuration
Skip this check
[tool.pycmdcheck]
skip = ["SC003"]CLI
pycmdcheck --skip SC003Skip entire security group
pycmdcheck --skip-group security