SC004: DependencyAudit

Overview

Property	Value
ID	SC004
Name	DependencyAudit
Group	security
Severity	ERROR

Description

Runs pip-audit to scan installed dependencies for known security vulnerabilities using the Python Packaging Advisory Database and OSV.

This check provides comprehensive vulnerability scanning with:

• CVE identification and severity ratings
• CVSS scores for risk assessment
• Recommended fix versions
• Links to vulnerability details

What it checks

The check executes pip-audit and analyzes results for:

• Known CVEs: Common Vulnerabilities and Exposures
• PYSEC advisories: Python-specific security advisories
• GHSA entries: GitHub Security Advisories
• Severity levels: Critical, High, Medium, Low

Result states

• PASSED: No vulnerabilities found
• FAILED: Vulnerabilities detected (with CVE details)
• SKIPPED: pip-audit is not installed

How to fix

Install pip-audit

# Using pip
pip install pip-audit

# Using uv
uv add --dev pip-audit

# Using pipx (recommended for CLI tools)
pipx install pip-audit

Run audit manually

# Basic scan
pip-audit

# JSON output for parsing
pip-audit --format json

# Verbose output with descriptions
pip-audit --desc on

# Scan specific requirements file
pip-audit -r requirements.txt

Fix vulnerabilities

# Automatic fix (upgrade to patched versions)
pip-audit --fix

# Dry run to see what would change
pip-audit --fix --dry-run

# Manual upgrade of specific package
pip install --upgrade vulnerable-package>=safe_version

Handle unfixable vulnerabilities

Some vulnerabilities may not have fixes yet:

# Ignore specific vulnerability (use with caution)
pip-audit --ignore-vuln PYSEC-2024-1234

# Create ignore file for CI
echo "PYSEC-2024-1234" > .pip-audit-ignore
pip-audit --ignore-vulns .pip-audit-ignore

Example output

Found 2 known vulnerabilities in 2 packages
Name    Version  ID               Fix Versions
------- -------- ---------------- ------------
django  3.2.0    PYSEC-2024-1234  >=3.2.25
urllib3 1.26.0   GHSA-xxxx-xxxx   >=1.26.18

CI/CD integration

GitHub Actions

- name: Security audit
  run: |
    pip install pip-audit
    pip-audit --format json --output audit-results.json
  continue-on-error: false

Pre-commit hook

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/pypa/pip-audit
    rev: v2.7.0
    hooks:
      - id: pip-audit

Why ERROR severity?

This check is an ERROR because:

• Security vulnerabilities can be actively exploited
• Dependency vulnerabilities affect all users
• Patched versions are usually available
• Failing early prevents vulnerable deployments

Configuration

Skip this check

[tool.pycmdcheck]
skip = ["SC004"]

CLI

pycmdcheck --skip SC004

Skip entire security group

pycmdcheck --skip-group security

Related checks

• SC001 - NoHardcodedSecrets
• SC002 - NoInsecureFunctions
• SC003 - NoDependencyVulnerabilities
• DP001 - NoPinnedDependencies