# pip-audit

> A tool for scanning Python environments for known vulnerabilities

- **URL**: https://www.freshcrate.ai/projects/pip-audit
- **Author**: Alex Cameron
- **Category**: Frameworks
- **Latest version**: `2.10.0` (2026-04-21)
- **License**: Unknown
- **Source**: https://github.com/pypa/pip-audit/issues
- **Homepage**: https://pypi.org/project/pip-audit/
- **Language**: Python
- **GitHub**: 1,268 stars, 93 forks
- **Registry**: pypi (`pip-audit`)
- **Tags**: `pypi`

## Description

pip-audit
=========

<!--- BADGES: START --->
[![CI](https://github.com/pypa/pip-audit/workflows/CI/badge.svg)](https://github.com/pypa/pip-audit/actions/workflows/ci.yml)
[![PyPI version](https://badge.fury.io/py/pip-audit.svg)](https://pypi.org/project/pip-audit)
[![Packaging status](https://repology.org/badge/tiny-repos/python:pip-audit.svg)](https://repology.org/project/python:pip-audit/versions)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/pypa/pip-audit/badge)](https://api.securityscorecards.dev/projects/github.com/pypa/pip-audit)
[![License](https://img.shields.io/github/license/pypa/pip-audit)](https://github.com/pypa/pip-audit/blob/main/LICENSE)
<!--- BADGES: END --->

`pip-audit` is a tool for scanning Python environments for packages
with known vulnerabilities. It uses the Python Packaging Advisory Database
(https://github.com/pypa/advisory-database) via the
[PyPI JSON API](https://warehouse.pypa.io/api-reference/json.html) as a source
of vulnerability reports.

This project is maintained in part by [Trail of Bits](https://www.trailofbits.com/)
with support from Google. This is not an official Google or Trail of Bits product.

## Index

* [Features](#features)
* [Installation](#installation)
  * [Third-party packages](#third-party-packages)
  * [GitHub Actions](#github-actions)
  * [`pre-commit` support](#pre-commit-support)
* [Usage](#usage)
  * [Environment variables](#environment-variables)
  * [Exit codes](#exit-codes)
  * [Dry runs](#dry-runs)
* [Examples](#examples)
* [Troubleshooting](#troubleshooting)
* [Tips and Tricks](#tips-and-tricks)
* [Security model](#security-model)
* [Licensing](#licensing)
* [Contributing](#contributing)
* [Code of Conduct](#code-of-conduct)

## Features

* Support for auditing local environments and requirements-style files
* Support for multiple vulnerability services
  ([PyPI](https://warehouse.pypa.io/api-reference/json.html#known-vulnerabilities),
  [OSV](https://osv.dev/docs/))
* Support for emitting
  [SBOMs](https://en.wikipedia.org/wiki/Software_bill_of_materials) in
  [CycloneDX](https://cyclonedx.org/) XML or JSON
* Support for automatically fixing vulnerable dependencies (`--fix`)
* Human and machine-readable output formats (columnar, Markdown, JSON)
* Seamlessly reuses your existing local `pip` caches

## Installation

`pip-audit` requires Python 3.9 or newer, and can be installed directly via `pip`:

```bash
python -m pip install pip-audit
```

### Third-party packages

There are multiple **third-party** packages for `pip-audit`. The matrices and badges below
list some of them:

[![Packaging status](https://repology.org/badge/vertical-allrepos/python:pip-audit.svg)](https://repology.org/project/python:pip-audit/versions)
[![Packaging status](https://repology.org/badge/vertical-allrepos/pip-audit.svg)](https://repology.org/project/pip-audit/versions)
[![Conda - Platform](https://img.shields.io/conda/pn/conda-forge/pip-audit?logo=anaconda&style=flat)][#conda-forge-package]
[![Conda (channel only)](https://img.shields.io/conda/vn/conda-forge/pip-audit?logo=anaconda&style=flat&color=orange)][#conda-forge-package]

[#conda-forge-package]: https://anaconda.org/conda-forge/pip-audit

In particular, `pip-audit` can be installed via `conda`:

```bash
conda install -c conda-forge pip-audit
```

Third-party packages are **not** directly supported by this project. Please consult your package manager's
documentation for more detailed installation guidance.

### GitHub Actions

`pip-audit` has [an official GitHub Action](https://github.com/pypa/gh-action-pip-audit)!

You can install it from the
[GitHub Marketplace](https://github.com/marketplace/actions/gh-action-pip-audit), or
add it to your CI manually:

```yaml
jobs:
  pip-audit:
    steps:
      - uses: pypa/gh-action-pip-audit@v1.0.0
        with:
          inputs: requirements.txt
```

See the
[action documentation](https://github.com/pypa/gh-action-pip-audit/blob/main/README.md)
for more details and usage examples.

### `pre-commit` support

`pip-audit` has [`pre-commit`](https://pre-commit.com/) support.

For example, using `pip-audit` via `pre-commit` to audit a requirements file:

```yaml
  - repo: https://github.com/pypa/pip-audit
    rev: v2.10.0
    hooks:
      -   id: pip-audit
          args: ["-r", "requirements.txt"]

ci:
  # Leave pip-audit to only run locally and not in CI
  # pre-commit.ci does not allow network calls
  skip: [pip-audit]
```

Any `pip-audit` arguments documented below can be passed.

## Usage

You can run `pip-audit` as a standalone program, or via `python -m`:

```bash
pip-audit --help
python -m pip_audit --help
```

<!-- @begin-pip-audit-help@ -->
```
usage: pip-audit [-h] [-V] [-l] [-r REQUIREMENT] [--locked] [-f FORMAT]
                 [-s SERVICE] [--osv-url OSV_URL] [-d] [-S]
                 [--desc [{on,off,auto}]] [--aliases [{on,off,auto}]]
                 [--cache-dir CACHE_DIR] [--progress-spinner {on,off}]
                 [--ti

## Recent releases

| Version | Date | Urgency | Changes |
| --- | --- | --- | --- |
| `2.10.0` | 2026-04-21 | Low | Imported from PyPI (2.10.0) |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |
| `v2.10.0` | 2025-12-01 | Low | ### Added  * `pip-audit` now supports the `--osv-url URL` flag, which can be used to   retrieve vulnerabilities from a custom OSV service. This is useful for   organizations that host their own mirror of the OSV database, or that   have custom OSV records   ([#810](https://github.com/pypa/pip-audit/pull/810))  * `pip-audit` now supports the Ecosyste.ms vulnerability service with   `--vulnerability-service=esms`   ([#903](https://github.com/pypa/pip-audit/pull/903)).  ### Changed  * The minimum v |

## Citation

- HTML: https://www.freshcrate.ai/projects/pip-audit
- Markdown: https://www.freshcrate.ai/projects/pip-audit.md
- Dependencies JSON: https://www.freshcrate.ai/api/projects/pip-audit/deps

_Generated by freshcrate.ai. Indexes pypi releases for AI-agent ecosystem packages._