SC012: VulnerabilityCheck
Overview
| Property | Value |
|---|---|
| ID | SC012 |
| Name | VulnerabilityCheck |
| Group | security |
| Severity | ERROR |
Description
Scans project dependencies against CVE databases to detect known security vulnerabilities using pip-audit or safety.
This check is critical because:
- Vulnerable dependencies can expose your application to attacks
- Supply chain security is a growing concern in the Python ecosystem
- Timely patching of vulnerabilities reduces security risk
- Automated scanning catches issues before deployment
What it checks
The check queries CVE databases for known vulnerabilities in your dependencies:
- PASSED: No known vulnerabilities found in dependencies
- FAILED: One or more vulnerabilities detected (reports CVE IDs and fix versions)
- NOT_APPLICABLE: Neither
pip-auditnorsafetyis installed
Tools used
The check prefers pip-audit but falls back to safety if not available:
- pip-audit (preferred): Uses PyPI’s vulnerability database
- safety (fallback): Uses Safety DB vulnerability database
How to fix
Install a vulnerability scanner
# pip-audit (recommended)
pip install pip-audit
# or
uv add --dev pip-audit
# Alternative: safety
pip install safetyRun a scan manually
# With pip-audit
pip-audit
# With safety
safety checkUpgrade vulnerable packages
# Upgrade a specific package
pip install --upgrade package-name
# Using uv
uv add package-name@latest
# Using pip-audit to show fix versions
pip-audit --fixExample vulnerability output
When vulnerabilities are found, the check reports:
FAILED: Found 3 vulnerability(ies) in dependencies
- requests==2.25.0: CVE-2023-32681 (fix: 2.31.0)
- urllib3==1.26.4: CVE-2023-43804 (fix: 1.26.17, 2.0.6)
- cryptography==3.4.6: CVE-2023-23931 (fix: 39.0.1)Pin to secure versions
Update your pyproject.toml:
[project]
dependencies = [
"requests>=2.31.0",
"urllib3>=2.0.6",
"cryptography>=39.0.1",
]Exclude false positives
If a vulnerability doesn’t apply to your usage:
# pip-audit: ignore specific vulnerabilities
pip-audit --ignore-vuln PYSEC-2023-XXX
# safety: use an ignore file
safety check --ignore 12345Why ERROR severity?
This check is an ERROR because:
- Security vulnerabilities can lead to data breaches
- Vulnerable dependencies may be exploited by attackers
- Many vulnerabilities have publicly available exploits
- Regulatory compliance often requires patched dependencies
Configuration
Set timeout
For large dependency trees:
[tool.pycmdcheck.checks.SC012]
timeout = 300 # 5 minutes (default: 180 seconds)Skip this check
[tool.pycmdcheck]
skip = ["SC012"]CLI
pycmdcheck --skip SC012Skip entire security group
pycmdcheck --skip-group securityBest practices
- Run in CI/CD: Add vulnerability scanning to your CI pipeline
- Monitor continuously: Use tools like Dependabot or Renovate
- Update regularly: Keep dependencies up to date
- Review advisories: Subscribe to security advisories for critical dependencies
- Use lockfiles: Pin exact versions for reproducible builds