Automatic Python Vulnerability Checking

Python is a popular programming language, useful for all sorts of tasks and projects. It has a large ecosystem of packages available, and sometimes these packages have security vulnerabilities. But how do you find out which of the packages you’re using have vulnerabilities, and what version you need to upgrade to?

Safety Checks

Safety is a python package that checks all your python dependencies for security vulnerabilities. By default, it uses the open source Safety DB, which is updated once a month, but you can get more timely updates by upgrading to the PyUp API. Once installed, using safety is very simple:

pip install safety
safety check

You can also check specific packages or all packages in a requirements file:

safety check package
safety check -r requirements.txt

The only downside of the above commands is that it is all manual. So how can you easily automate these checks, so that you’re notified when anything changes?

Automatic Safety Checks with GitHub Actions

GitHub, the most popular code hosting platform, provides a feature called Actions, which lets you setup workflows of jobs. Below is a sample workflow (in YAML) for running safety checks against a requirements file in your repository once a day at 2AM UTC. It also has the option of running the workflow manually if desired.

name: Safety

  - cron: "0 2 * * *"

    runs-on: ubuntu-latest
    - uses: actions/checkout@v2
    - uses: actions/setup-python@v2
        python-version: 3.7
    - name: Install Safety & check requirements
      run: |
        pip install safety
        safety check -r requirements.txt

If the safety check fails, then the job will fail and you will get an alert in GitHub. This way, when any new vulnerabilities are discovered in the packages you use, you’ll automatically be alerted so you can take action.

Here’s a break down of each line in the workflow:

  1. workflow_dispatch: enables you to run the workflow manually
  2. schedule: cron: "0 2 * * *" runs the workflow at 2AM UTC every day
  3. runs-on: ubuntu-latest runs the workflow on the latest version of Ubuntu linux
  4. uses: actions/checkout@v2 checks out the repository this workflow belongs to
  5. uses: actions/setup-python@v2 sets up Python. The @v2 is for the setup-python action, not the Python version. with: python-version: 3.7 specifies the Python version to use.
  6. run: pip install safety; safety check -r requirements.txt runs commands to install the safety module and then checks your project requirements.txt for any vulnerable packages.

If everything is working and no vulnerabilities are found, you’ll get an output with the last few lines looking like this:

| checked 42 packages, using default DB
| No known security vulnerabilities found.

GitHub Dependabot

GitHub also provides its own automatic dependency checking service called Dependabot. Once enabled, it will look for package dependency files like requirements.txt, and then check packages against its own vulnerability database. Unlike safety, Dependabot can work for many different programming languages. And it integrates into your GitHub project with security alerts and automatic pull requests to bump package versions.

To enable Dependabot for your project, go into your GitHub project Settings > Security & Analysis. You’ll need to enable at least Dependency graph & Dependabot alerts. If you also want the automatic pull requests, you should enable Dependabot security updates.

Using both safety and Dependabot can help ensure you have good vulnerability coverage from multiple sources, and the methods above make the checks automatic

This post may contain affiliate links.