Security vulnerability scanner for Python dependencies
Project description
osvcheck
Lightweight vulnerability scanner for Python dependencies using the OSV database.
osvcheck scans your Python project's dependencies for known security vulnerabilities by querying the OSV (Open Source Vulnerabilities) database. It's designed for source-level checking during development and CI/CD pipelines.
Key features:
- Zero runtime dependencies (stdlib only)
- Auto-detects package manager (uv.lock, uv, or pip)
- Smart caching (12-48 hour TTL) minimizes API calls
- Distinguishes direct vs indirect vulnerabilities
- Optional rich integration for enhanced output (auto-detected if installed)
Installation
Install via pip or uv, or add to your project's dev dependencies.
Usage
# Scan current project
osvcheck
# Logging options
osvcheck -v # Verbose (debug) output
osvcheck -q # Quiet (warnings/errors only)
osvcheck --log-json # JSON format logs
osvcheck --log-file FILE # Write logs to file
# Color control
osvcheck --color # Force color output
osvcheck --no-color # Disable color output
Exit codes:
0- No vulnerabilities found1- Indirect dependency vulnerabilities only2- Direct dependency vulnerabilities found
As a Pre-commit hook:
Add to .pre-commit-config.yaml:
- repo: https://github.com/deeprave/osvcheck
rev: v1.0.1
hooks:
- id: osvcheck
CI/CD integration:
# Fail only on direct vulnerabilities
osvcheck || [ $? -eq 1 ]
# Fail on any vulnerabilities
osvcheck
Features
- Scans Python dependencies for known security vulnerabilities
- Uses the OSV (Open Source Vulnerabilities) database
- Multi-environment support with auto-detection:
- Uses
uv.lockif present and up-to-date (fastest) - Falls back to
uv pip listif uv is available - Falls back to
pip listif pip is available
- Uses
- Smart caching with 12-48 hour randomized TTL
- Distinguishes between direct and indirect dependency vulnerabilities
- Zero runtime dependencies (Python stdlib only)
- Optional rich integration for enhanced output (auto-detected if already installed)
License
MIT License - See LICENSE file for details.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file osvcheck-1.3.0.tar.gz.
File metadata
- Download URL: osvcheck-1.3.0.tar.gz
- Upload date:
- Size: 10.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c876c10524d240d337ae823dd5927b2e51e16c2e0f852d1ecd357b227f6d6c41
|
|
| MD5 |
8b01ca8ca0451696bf0fa87ec6d321f5
|
|
| BLAKE2b-256 |
9c769418af087240b00b450f0b3ae065c68bdaff7eb26b166e0f5ca3dc7f59f9
|
Provenance
The following attestation bundles were made for osvcheck-1.3.0.tar.gz:
Publisher:
release.yml on deeprave/osvcheck
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
osvcheck-1.3.0.tar.gz -
Subject digest:
c876c10524d240d337ae823dd5927b2e51e16c2e0f852d1ecd357b227f6d6c41 - Sigstore transparency entry: 1635723495
- Sigstore integration time:
-
Permalink:
deeprave/osvcheck@f9f83e8ac9950dd790839331d1c33e1c95dae4dc -
Branch / Tag:
refs/heads/main - Owner: https://github.com/deeprave
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@f9f83e8ac9950dd790839331d1c33e1c95dae4dc -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file osvcheck-1.3.0-py3-none-any.whl.
File metadata
- Download URL: osvcheck-1.3.0-py3-none-any.whl
- Upload date:
- Size: 14.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
23fa8bc046c3d8ae22c9d968910b73ea14ad66f5ca62bf4f0fc1c5bbd92a0829
|
|
| MD5 |
de67cc98f72a086fb3de414431c6d8c1
|
|
| BLAKE2b-256 |
0f4b04b7a712e60982ffe84ced3d5c57444d4780f229f86bce639fcf0e1fcfff
|
Provenance
The following attestation bundles were made for osvcheck-1.3.0-py3-none-any.whl:
Publisher:
release.yml on deeprave/osvcheck
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
osvcheck-1.3.0-py3-none-any.whl -
Subject digest:
23fa8bc046c3d8ae22c9d968910b73ea14ad66f5ca62bf4f0fc1c5bbd92a0829 - Sigstore transparency entry: 1635723589
- Sigstore integration time:
-
Permalink:
deeprave/osvcheck@f9f83e8ac9950dd790839331d1c33e1c95dae4dc -
Branch / Tag:
refs/heads/main - Owner: https://github.com/deeprave
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@f9f83e8ac9950dd790839331d1c33e1c95dae4dc -
Trigger Event:
workflow_dispatch
-
Statement type: