Scan Python dependency files for known security vulnerabilities across OSV, NVD, and GitHub Advisory Database with EPSS exploit-probability scoring.
Project description
lockfile-audit
Why lockfile-audit?
pip-audit is a solid tool, but it queries only the PyPA/OSV advisory database — leaving your project blind to CVEs that exist in NVD or the GitHub Advisory Database but haven't yet been cross-referenced in OSV. On top of that, every tool in this space gives you a flat list sorted by CVSS score, which doesn't tell you which vulnerabilities are actually being exploited in the wild right now.
lockfile-audit solves both problems:
- Broader coverage — queries OSV, NVD, and GitHub Advisory Database in parallel and deduplicates the results into a single unified report.
- Exploit-probability prioritization — enriches every finding with its EPSS score (probability of exploitation in the next 30 days), so your team can triage a CVSS 9.8 with a 0.1% exploit probability differently from a CVSS 7.5 that is actively being weaponized.
| Feature | pip-audit | lockfile-audit |
|---|---|---|
| OSV / PyPA database | ✅ | ✅ |
| NVD (NIST) database | ❌ | ✅ |
| GitHub Advisory Database | ❌ | ✅ |
| EPSS exploit-probability scores | ❌ | ✅ |
| SARIF output (GitHub Code Scanning) | ❌ | ✅ |
| Ignore file with expiry enforcement | ❌ | ✅ |
| Async parallel DB queries | ❌ | ✅ |
requirements.txt parsing |
✅ | ✅ |
pyproject.toml parsing |
✅ | ✅ |
poetry.lock parsing |
✅ | ✅ |
Installation
pip:
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file lockfile_audit-0.1.0.tar.gz.
File metadata
- Download URL: lockfile_audit-0.1.0.tar.gz
- Upload date:
- Size: 17.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.13.12 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6e882be71ed636063b7da321dc7f79aea6e8ddbcadd4dac655090e29d4c48b28
|
|
| MD5 |
165bef1445a9c0ab02e98fc32f31df23
|
|
| BLAKE2b-256 |
ddb5c1a562fe8b1fb0b575a3ffb37ebe4240b8375740f6ef16733bfa8881b0cf
|
File details
Details for the file lockfile_audit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: lockfile_audit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 20.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.13.12 Darwin/24.6.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4123bba02df9cc66358055b561e818650e0ce95116d14044365a88666e68fcb0
|
|
| MD5 |
beddc49bb07d020e4bd934f8af9cb18e
|
|
| BLAKE2b-256 |
88d0134090dd939481fa66eef173074119b3fd23743e5d342fa19c9b4752e59a
|