Python is a popular programming language, useful for all sorts of tasks and projects. It has a large ecosystem of packages available, and sometimes these packages have security vulnerabilities. But how do you find out which of the packages you’re using have vulnerabilities, and what version you need to upgrade to?
Safety is a python package that checks all your python dependencies for security vulnerabilities. By default, it uses the open source Safety DB, which is updated once a month, but you can get more timely updates by upgrading to the PyUp API. Once installed, using safety is very simple:
pip install safety safety check
You can also check specific packages or all packages in a requirements file:
safety check package safety check -r requirements.txt
The only downside of the above commands is that it is all manual. So how can you easily automate these checks, so that you’re notified when anything changes?
Automatic Safety Checks with GitHub Actions
GitHub, the most popular code hosting platform, provides a feature called Actions, which lets you setup workflows of jobs. Below is a sample workflow (in YAML) for running safety checks against a requirements file in your repository once a day at 2AM UTC. It also has the option of running the workflow manually if desired.
name: Safety on: workflow_dispatch: schedule: - cron: "0 2 * * *" jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - uses: actions/setup-python@v2 with: python-version: 3.7 - name: Install Safety & check requirements run: | pip install safety safety check -r requirements.txt
If the safety check fails, then the job will fail and you will get an alert in GitHub. This way, when any new vulnerabilities are discovered in the packages you use, you’ll automatically be alerted so you can take action.
Here’s a break down of each line in the workflow:
workflow_dispatch:enables you to run the workflow manually
schedule: cron: "0 2 * * *"runs the workflow at 2AM UTC every day
runs-on: ubuntu-latestruns the workflow on the latest version of Ubuntu linux
uses: actions/checkout@v2checks out the repository this workflow belongs to
uses: actions/setup-python@v2sets up Python. The
@v2is for the
setup-pythonaction, not the Python version.
with: python-version: 3.7specifies the Python version to use.
run: pip install safety; safety check -r requirements.txtruns commands to install the safety module and then checks your project
requirements.txtfor any vulnerable packages.
If everything is working and no vulnerabilities are found, you’ll get an output with the last few lines looking like this:
| REPORT | checked 42 packages, using default DB | No known security vulnerabilities found.
GitHub also provides its own automatic dependency checking service called Dependabot. Once enabled, it will look for package dependency files like
requirements.txt, and then check packages against its own vulnerability database. Unlike safety, Dependabot can work for many different programming languages. And it integrates into your GitHub project with security alerts and automatic pull requests to bump package versions.
To enable Dependabot for your project, go into your GitHub project Settings > Security & Analysis. You’ll need to enable at least Dependency graph & Dependabot alerts. If you also want the automatic pull requests, you should enable Dependabot security updates.
Using both safety and Dependabot can help ensure you have good vulnerability coverage from multiple sources, and the methods above make the checks automatic
This post may contain affiliate links.