Description
pip-audit ========= <!--- BADGES: START ---> [](https://github.com/pypa/pip-audit/actions/workflows/ci.yml) [](https://pypi.org/project/pip-audit) [](https://repology.org/project/python:pip-audit/versions) [](https://api.securityscorecards.dev/projects/github.com/pypa/pip-audit) [](https://github.com/pypa/pip-audit/blob/main/LICENSE) <!--- BADGES: END ---> `pip-audit` is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-database) via the [PyPI JSON API](https://warehouse.pypa.io/api-reference/json.html) as a source of vulnerability reports. This project is maintained in part by [Trail of Bits](https://www.trailofbits.com/) with support from Google. This is not an official Google or Trail of Bits product. ## Index * [Features](#features) * [Installation](#installation) * [Third-party packages](#third-party-packages) * [GitHub Actions](#github-actions) * [`pre-commit` support](#pre-commit-support) * [Usage](#usage) * [Environment variables](#environment-variables) * [Exit codes](#exit-codes) * [Dry runs](#dry-runs) * [Examples](#examples) * [Troubleshooting](#troubleshooting) * [Tips and Tricks](#tips-and-tricks) * [Security model](#security-model) * [Licensing](#licensing) * [Contributing](#contributing) * [Code of Conduct](#code-of-conduct) ## Features * Support for auditing local environments and requirements-style files * Support for multiple vulnerability services ([PyPI](https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities), [OSV](https://osv.dev/docs/)) * Support for emitting [SBOMs](https://en.wikipedia.org/wiki/Software_bill_of_materials) in [CycloneDX](https://cyclonedx.org/) XML or JSON * Support for automatically fixing vulnerable dependencies (`--fix`) * Human and machine-readable output formats (columnar, Markdown, JSON) * Seamlessly reuses your existing local `pip` caches ## Installation `pip-audit` requires Python 3.9 or newer, and can be installed directly via `pip`: ```bash python -m pip install pip-audit ``` ### Third-party packages There are multiple **third-party** packages for `pip-audit`. The matrices and badges below list some of them: [](https://repology.org/project/python:pip-audit/versions) [](https://repology.org/project/pip-audit/versions) [][#conda-forge-package] [][#conda-forge-package] [#conda-forge-package]: https://anaconda.org/conda-forge/pip-audit In particular, `pip-audit` can be installed via `conda`: ```bash conda install -c conda-forge pip-audit ``` Third-party packages are **not** directly supported by this project. Please consult your package manager's documentation for more detailed installation guidance. ### GitHub Actions `pip-audit` has [an official GitHub Action](https://github.com/pypa/gh-action-pip-audit)! You can install it from the [GitHub Marketplace](https://github.com/marketplace/actions/gh-action-pip-audit), or add it to your CI manually: ```yaml jobs: pip-audit: steps: - uses: pypa/gh-action-pip-audit@v1.0.0 with: inputs: requirements.txt ``` See the [action documentation](https://github.com/pypa/gh-action-pip-audit/blob/main/README.md) for more details and usage examples. ### `pre-commit` support `pip-audit` has [`pre-commit`](https://pre-commit.com/) support. For example, using `pip-audit` via `pre-commit` to audit a requirements file: ```yaml - repo: https://github.com/pypa/pip-audit rev: v2.10.0 hooks: - id: pip-audit args: ["-r", "requirements.txt"] ci: # Leave pip-audit to only run locally and not in CI # pre-commit.ci does not allow network calls skip: [pip-audit] ``` Any `pip-audit` arguments documented below can be passed. ## Usage You can run `pip-audit` as a standalone program, or via `python -m`: ```bash pip-audit --help python -m pip_audit --help ``` <!-- @begin-pip-audit-help@ --> ``` usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENT] [--locked] [-f FORMAT] [-s SERVICE] [--osv-url OSV_URL] [-d] [-S] [--desc [{on,off,auto}]] [--aliases [{on,off,auto}]] [--cache-dir CACHE_DIR] [--progress-spinner {on,off}] [--ti
Release History
| Version | Changes | Urgency | Date |
|---|---|---|---|
| 2.10.0 | Imported from PyPI (2.10.0) | Low | 4/21/2026 |
| v2.10.0 | ### Added * `pip-audit` now supports the `--osv-url URL` flag, which can be used to retrieve vulnerabilities from a custom OSV service. This is useful for organizations that host their own mirror of the OSV database, or that have custom OSV records ([#810](https://github.com/pypa/pip-audit/pull/810)) * `pip-audit` now supports the Ecosyste.ms vulnerability service with `--vulnerability-service=esms` ([#903](https://github.com/pypa/pip-audit/pull/903)). ### Changed * The minimum v | Low | 12/1/2025 |
| v2.9.0 | ### Added * `pip-audit` now supports [PEP 751](https://peps.python.org/pep-0751/) lockfiles. These lockfiles can be audited in "project" mode by passing `--locked` to `pip-audit` ([#888](https://github.com/pypa/pip-audit/pull/888)) | Low | 4/7/2025 |
| v2.8.0 | ### Added * `pip-audit` now allows some CLI flags to be configured via environment variables ([#755](https://github.com/pypa/pip-audit/pull/755)) ### Changed * The default cache locations on macOS and Linux now respect each platform's caching directory idioms (e.g. XDG) ([#814](https://github.com/pypa/pip-audit/pull/814)) * The minimum version of Python is now 3.9 ([#846](https://github.com/pypa/pip-audit/pull/846)) | Low | 2/6/2025 |
| v2.7.3 | ### Fixed * Improved handling of temporary files on Windows ([#757](https://github.com/pypa/pip-audit/pull/757)) * Fixed a subprocess deadlock on Windows ([#756](https://github.com/pypa/pip-audit/pull/756)) | Low | 4/30/2024 |
| v2.7.2 | ### Fixed * `pip-audit` now invokes `pip` with `--keyring-provider=subprocess`, partially fixing a regression that was introduced with another authentication fix in 2.6.2. This allows the interior `pip` to use `keyring` to perform third-party index authentication. **Full Changelog**: https://github.com/pypa/pip-audit/compare/v2.7.1...v2.7.2 | Low | 2/29/2024 |
| v2.7.1 | ### Fixed * Improved the error returned to users when their default temporary directory lacks execute permissions ([#737](https://github.com/pypa/pip-audit/pull/737)) | Low | 2/12/2024 |
| v2.7.0 | ### Added * `pip-audit` now includes vulnerability aliases when `--format=json` is used, and also includes them in other output formats if specified by adding the flag `--aliases` | Low | 1/11/2024 |
| v2.6.3 | ### Fixed * Removed a misleading warning message that resulted in user confusion ([#719](https://github.com/pypa/pip-audit/pull/719)) | Low | 1/8/2024 |
| v2.6.2 | ### Changed * `pip-audit`'s minimum Python version is now 3.8. ### Fixed * Fixed a hang caused by auditing requirements when resolving against an index that requires authentication, causing `pip` to wait indefinitely for credentials ([#707](https://github.com/pypa/pip-audit/pull/707)) | Low | 12/19/2023 |
| v2.6.1 | ### Fixed * Fixed a crash on Windows caused by `pip-audit`'s use of temporary files ([#647](https://github.com/pypa/pip-audit/pull/647)) | Low | 7/24/2023 |
| v2.6.0 | ### Added * Added option to skip dependency resolution via `pip` with the `--disable-pip` flag. This option can only be used with hashed requirements files or when the `--no-deps` flag has been provided ([#610](https://github.com/pypa/pip-audit/pull/610)) | Low | 7/2/2023 |
| v2.5.6 | ### Fixed * Fixed a crash caused by incompatible dependency changes ([#617](https://github.com/pypa/pip-audit/pull/617)) | Low | 5/23/2023 |
| v2.5.5 | ### Fixed * Fixed a crash caused by incompatible dependency changes ([#605](https://github.com/pypa/pip-audit/pull/605)) | Low | 5/4/2023 |
| v2.5.4 | ### Changed * Refactored `index-url` option to not override user pip config by default, unless specified ([#565](https://github.com/pypa/pip-audit/pull/565)) ### Fixed * Fixed bug with the `--fix` flag where new requirements were sometimes being appended to requirement files instead of patching the existing requirement ([#577](https://github.com/pypa/pip-audit/pull/577)) * Fixed a crash caused by auditing requirements files that refer to other requirements files ([#568](h | Low | 3/29/2023 |
| v2.5.3 | ### Changed * Further simplified `pip-audit`'s dependency resolution to remove inconsistent behaviour when using hashed requirements or the `--no-deps` flag ([#540](https://github.com/pypa/pip-audit/pull/540)) ### Fixed * Fixed a crash caused by invalid UTF-8 sequences in subprocess outputs ([#572](https://github.com/pypa/pip-audit/pull/572)) | Low | 3/23/2023 |
| v2.5.2 | ### Fixed * Fixed a loose dependency constraint for CycloneDX SBOM generation ([#558](https://github.com/pypa/pip-audit/pull/558)) | Low | 3/20/2023 |
| v2.5.1 | ### Fixed * Fixed a crash on Windows caused by multiple open file handles to input requirements ([#551](https://github.com/pypa/pip-audit/pull/551)) | Low | 3/17/2023 |
| v2.5.0 | ### Changed * Improved error messaging when a requirements input or indirect dependency has an invalid (non-PEP 440) requirements specifier ([#507](https://github.com/pypa/pip-audit/pull/507)) * `pip-audit`'s handling of dependency resolution has been significantly refactored and simplified ([#523](https://github.com/pypa/pip-audit/pull/523)) ### Fixed * Fixed a potential crash on invalid unicode in subprocess streams ([#536](https://github.com/pypa/pip-audit/pull/536)) | Low | 3/16/2023 |
| v2.4.15 | ### Fixed * Fixed an issue where hash checking would fail when using third-party indices ([#462](https://github.com/pypa/pip-audit/pull/462)) * Fixed the behavior of the `--skip-editable` flag, which had regressed with an internal API change ([#499](https://github.com/pypa/pip-audit/pull/499)) * Fixed a dependency resolution bug that can potentially be triggered when multiple packages have the same subdependency ([#488](https://github.com/pypa/pip-audit/pull/488)) | Low | 1/31/2023 |
| v2.4.14 | ### Fixed * Fixed a dependency resolution failure caused by incorrect handling of a PEP 440 edge case around prerelease versions ([#477](https://github.com/pypa/pip-audit/pull/477)) | Low | 1/20/2023 |
| v2.4.13 | ### Fixed * Added a lower bound on `packaging` to ensure that non-normalized versions are handled correctly ([#471](https://github.com/pypa/pip-audit/pull/471)) | Low | 1/10/2023 |
| v2.4.12 | ### Fixed * Fixed `pip-audit`'s virtual environment creation and upgrade behavior, preventing spurious vulnerability reports ([#454](https://github.com/pypa/pip-audit/pull/454)) * Users are now warned if a `pip-audit` invocation is ambiguous, e.g. if they've installed `pip-audit` globally but are asking for an audit of a loaded virtual environment ([#451](https://github.com/pypa/pip-audit/pull/451)) | Low | 12/29/2022 |
| v2.4.11 | ### Fixed * Fixed a crash triggered when a package specifies an invalid version specifier for its `requires-python` version ([#447](https://github.com/pypa/pip-audit/pull/447)) | Low | 12/28/2022 |
| v2.4.10 | ## [2.4.10] ### Fixed * Fixed a crash triggered when no vulnerabilities are found with some configurations ([#437](https://github.com/pypa/pip-audit/pull/437)) | Low | 12/15/2022 |
| v2.4.9 | ## [2.4.9] ### Fixed * The `--output` flag will no longer produce an empty file in the event of a failure within `pip-audit` itself, making it easier to distinguish between audit failures being reported by `pip-audit` and `pip-audit`'s own errors ([#432](https://github.com/pypa/pip-audit/pull/432)) * Removed pin on `packaging` now that our dependency pins it for us ([#429](https://github.com/pypa/pip-audit/pull/427)) | Low | 12/14/2022 |
| v2.4.8 | ## [2.4.8] ### Fixed * Pin maximum version of `packaging` dependency to avoid installing the new 22.0 version which is incompatible with `pip-requirements-parser` ([#427](https://github.com/pypa/pip-audit/pull/427)) | Low | 12/8/2022 |
| v2.4.7 | ### Fixed * Fixed a timestamp parsing bug that occurred with some vulnerability reports provided by the OSV service ([#416](https://github.com/pypa/pip-audit/issues/416)) | Low | 11/28/2022 |
| v2.4.6 | ### Fixed * Fixed an incorrect interaction between `--desc=auto` and `--format=json`; `--desc=auto` now includes the description in the generated JSON report, as intended ([#399](https://github.com/pypa/pip-audit/pull/399)) * Fixed a bug in dependency resolution with third-party indices where relative URLs were not resolved correctly ([#411](https://github.com/pypa/pip-audit/pull/411), [#412](https://github.com/pypa/pip-audit/pull/412)) | Low | 11/21/2022 |
| v2.4.5 | ### Fixed * Fixed an issue where audits done with the PyPI vulnerability service (the default) were not correctly filtered by "withdrawn" status; "withdrawn" vulnerabilities are now excluded ([#393](https://github.com/pypa/pip-audit/pull/393)) * Fixed an issue where audits done with the OSV vulnerability service (`-s osv`) were not correctly filtered by "withdrawn" status; "withdrawn" vulnerabilities are now excluded ([#386](https://github.com/pypa/pip-audit/pull/386)) * | Low | 10/31/2022 |
| v2.4.4 | ### Changed * `pip-audit` is now a PyPA member project, and lives under [`pypa/pip-audit`](https://github.com/pypa/pip-audit)! * Improved error message for when unpinned URL requirements are found during an audit with the `--no-deps` flag ([#355](https://github.com/pypa/pip-audit/pull/355)) ### Fixed * Fixed an issue where packages on PyPI with no published versions trigger a dependency resolution failure instead of being skipped ([#357](https://github.com/pypa/pip-aud | Low | 9/1/2022 |
| v2.4.3 | ## Fixed * Fixed a regression in requirements auditing that was introduced during the move from pip-api to pip-requirements-parser where editable installs without an egg fragment would cause audits to crash (https://github.com/trailofbits/pip-audit/pull/331) | Low | 7/25/2022 |
| v2.4.2 | ### Fixed * CLI: the --format=markdown and --format=columns output formats are no longer broken by long vulnerability descriptions from the OSV and PyPI vulnerability sources (https://github.com/trailofbits/pip-audit/pull/323) | Low | 7/21/2022 |
| v2.4.1 | ## [2.4.1] ### Fixed * Fixed a breakage in hash-checking mode caused by a [change to the PyPI JSON API](https://discuss.python.org/t/backwards-incompatible-change-to-pypi-json-api/17154) ([#318](https://github.com/trailofbits/pip-audit/pull/318)) | Low | 7/7/2022 |
| v2.4.0 | ## [2.4.0] ### Added * Output formats: `pip-audit` now supports a Markdown format (`--format=markdown`) which renders results as a set of Markdown tables. ([#312](https://github.com/trailofbits/pip-audit/pull/312)) | Low | 6/30/2022 |
| v2.3.4 | Release v2.3.4 | Low | 6/24/2022 |
| v2.3.3 | ### Changed * CLI: `pip-audit` now warns on the combination of `-s osv` and `--require-hashes`, notifying users that only the PyPI service can fully verify hashes ([#298](https://github.com/trailofbits/pip-audit/pull/298)) ### Fixed * CLI/Dependency sources: `--cache-dir=...` and other flags that affect dependency resolver behavior now work correctly when auditing a `pyproject.toml` dependency source ([#300](https://github.com/trailofbits/pip-audit/pull/300)) | Low | 6/15/2022 |
| v2.3.2 | ### Changed * CLI: `pip-audit`'s progress spinner has been refactored to make it faster and more responsive ([#283](https://github.com/trailofbits/pip-audit/pull/283)) * CLI, Vulnerability sources: the error message used to report connection failures to vulnerability sources was improved ([#287](https://github.com/trailofbits/pip-audit/pull/287)) * Vulnerability sources: the OSV service is now more resilient to schema changes ([#288](https://github.com/trailofbits/pip-aud | Low | 6/14/2022 |
| v2.3.1 | ## [2.3.1](https://github.com/trailofbits/pip-audit/compare/v2.3.0...v2.3.1) - 2022-05-24 ### Fixed * CLI: A bug causing the terminal's cursor to disappear on some versions of CPython was fixed (https://github.com/trailofbits/pip-audit/issues/280) | Low | 5/24/2022 |
| v2.3.0 | ## [2.3.0](https://github.com/trailofbits/pip-audit/compare/v2.2.1...v2.3.0) - 2022-05-18 ### Added CLI: The --ignore-vuln option has been added, allowing users to specify vulnerability IDs to ignore during the final report (https://github.com/trailofbits/pip-audit/pull/275) CLI: The --no-deps flag has been added, allowing users to skip dependency resolution entirely when pip-audit is used in requirements mode (https://github.com/trailofbits/pip-audit/pull/255) | Low | 5/18/2022 |
| v2.2.1 | Release v2.2.1 | Low | 5/2/2022 |
| v2.2.0 | ## 2.2.0 - 2022-05-02 ### Added * CLI: The `--output` option has been added, allowing users to specify a file to write output to. The default behavior of writing to `stdout` is unchanged ([#262](https://github.com/trailofbits/pip-audit/pull/262)) ### Fixed * Vulnerability sources: A bug caused by insufficient version normalization was fixed ([#263](https://github.com/trailofbits/pip-audit/pull/263)) | Low | 5/2/2022 |
| v2.1.1 | [2.1.1](https://github.com/trailofbits/pip-audit/compare/v2.1.0...v2.1.1)[](https://github.com/trailofbits/pip-audit/blob/main/CHANGELOG.md#fixed) - 2022-03-29 Fixed * Dependency sources: A bug caused by ambiguous parses of source distribution files was fixed ([#249](https://github.com/trailofbits/pip-audit/pull/249)) [2.1.1]: https://github.com/trailofbits/pip-audit/compare/v2.1.0...v2.1.1 | Low | 3/29/2022 |
| v2.1.0 | [2.1.0](https://github.com/trailofbits/pip-audit/compare/v2.0.0...v2.1.0)[](https://github.com/trailofbits/pip-audit/blob/main/CHANGELOG.md#added) - 2022-03-11 Added * CLI: The --skip-editable flag has been added, allowing users to skip local packages or parsed requirements (via -r) that are marked as editable (https://github.com/trailofbits/pip-audit/pull/244) * CLI: pip-audit can audit projects that list their dependencies in pyproject.toml files, via `pip-audit <dir>` (https://github | Low | 3/11/2022 |
| v2.0.0 | [2.0.0](https://github.com/trailofbits/pip-audit/compare/v1.1.2...v2.0.0)[](https://github.com/trailofbits/pip-audit/blob/main/CHANGELOG.md#added) - 2022-02-18 Added * CLI: The --fix flag has been added, allowing users to attempt to automatically upgrade any vulnerable dependencies to the first safe version available ([#212](https://github.com/trailofbits/pip-audit/pull/212), [#222](https://github.com/trailofbits/pip-audit/pull/222)) * CLI: The combination of --fix and --dry-run is now su | Low | 2/18/2022 |
| v1.1.2 | Release v1.1.2 | Low | 1/13/2022 |
| v1.1.1 | Release v1.1.1 | Low | 12/7/2021 |
| v1.1.0 | Release v1.1.0 | Low | 12/6/2021 |
| v1.0.1 | Release v1.0.1 | Low | 12/2/2021 |
| v1.0.0 | Release v1.0.0 | Low | 12/1/2021 |
| v0.0.9 | Release v0.0.9 | Low | 12/1/2021 |