Skip to main content

Scan Python dependency files for known security vulnerabilities across OSV, NVD, and GitHub Advisory Database with EPSS exploit-probability scoring.

Project description

lockfile-audit

PyPI version Python versions License: MIT CI Coverage Ruff


Why lockfile-audit?

pip-audit is a solid tool, but it queries only the PyPA/OSV advisory database — leaving your project blind to CVEs that exist in NVD or the GitHub Advisory Database but haven't yet been cross-referenced in OSV. On top of that, every tool in this space gives you a flat list sorted by CVSS score, which doesn't tell you which vulnerabilities are actually being exploited in the wild right now.

lockfile-audit solves both problems:

  1. Broader coverage — queries OSV, NVD, and GitHub Advisory Database in parallel and deduplicates the results into a single unified report.
  2. Exploit-probability prioritization — enriches every finding with its EPSS score (probability of exploitation in the next 30 days), so your team can triage a CVSS 9.8 with a 0.1% exploit probability differently from a CVSS 7.5 that is actively being weaponized.
Feature pip-audit lockfile-audit
OSV / PyPA database
NVD (NIST) database
GitHub Advisory Database
EPSS exploit-probability scores
SARIF output (GitHub Code Scanning)
Ignore file with expiry enforcement
Async parallel DB queries
requirements.txt parsing
pyproject.toml parsing
poetry.lock parsing

Installation

pip:

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

lockfile_audit-0.1.0.tar.gz (17.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

lockfile_audit-0.1.0-py3-none-any.whl (20.2 kB view details)

Uploaded Python 3

File details

Details for the file lockfile_audit-0.1.0.tar.gz.

File metadata

  • Download URL: lockfile_audit-0.1.0.tar.gz
  • Upload date:
  • Size: 17.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.2.1 CPython/3.13.12 Darwin/24.6.0

File hashes

Hashes for lockfile_audit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 6e882be71ed636063b7da321dc7f79aea6e8ddbcadd4dac655090e29d4c48b28
MD5 165bef1445a9c0ab02e98fc32f31df23
BLAKE2b-256 ddb5c1a562fe8b1fb0b575a3ffb37ebe4240b8375740f6ef16733bfa8881b0cf

See more details on using hashes here.

File details

Details for the file lockfile_audit-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: lockfile_audit-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 20.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.2.1 CPython/3.13.12 Darwin/24.6.0

File hashes

Hashes for lockfile_audit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4123bba02df9cc66358055b561e818650e0ce95116d14044365a88666e68fcb0
MD5 beddc49bb07d020e4bd934f8af9cb18e
BLAKE2b-256 88d0134090dd939481fa66eef173074119b3fd23743e5d342fa19c9b4752e59a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page