python dependency vulnerability scanner
Project description
🐍 Pyscan
A dependency vulnerability scanner for your python projects, straight from the terminal.
- 🚀 blazingly fast scanner that can be used within large projects quickly.
- 🤖 automatically uses
requirements.txt,pyproject.tomlor, the source code. - 🧑💻 can be integrated into existing build processes.
- 💽 In its alpha stage, some features may not work correctly. PRs and issue makers welcome.
🕊️ Install
> pip install pyscan-rs
look out for the "-rs" part or
> cargo install pyscan
check out the releases.
🐇 Usage
Go to your python source directory (or wherever you keep your requirements.txt/pyproject.toml) and run:
> pyscan
or
> pyscan -d path/to/src
Docker
[WARNING: docker subcommand currently does not work, if you are installing pyscan solely for that purpose. It will be fixed and released in the next version. Thanks for the patience, people with actual jobs (i dont know anyone else who actually uses docker)]
Pyscan can scan inside docker images given you provide the correct path inside. This is still in its early stage and may break easily.
> pyscan docker -n my-docker-image -p /path/inside/container/to/source
by "source" I mean requirements.txt, pyproject.toml or your python files.
Note: Your docker engine/daemon should be running as pyscan utilizes the docker create command.
Here's the order of precedence for a "source" file:
requirements.txtpyproject.toml- your python source code (
.py) [highly discouraged]
Pyscan will find dependency versions from pip if not provided within the source file. Even though, Make sure you version-ize your requirements and use proper pep-508 syntax.
Building
pyscan requires a rust version of < v1.70, as it uses once_cell which is unstable on previous releases.
There's an overview of the codebase coming soon for people who wanna contribute. Appreciate all the help so far.
🦀 Note
pyscan uses OSV as its database for now. There are plans to add a few more.
pyscan doesn't make sure your code is safe from everything. Use all resources available to you like Dependabot, pip-audit or trivy.
🐰 Todo
As of June 27, 2023:
- Gather time to work on it (incredible task as a high schooler)
- Multi-threading
- Better display, search, filter of vulns
- Plethora of output options (stick to >> for now)
- Architecture write-up
🐹 Sponsor
While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distributions
Hashes for pyscan_rs-0.1.5-py3-none-win_amd64.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 82435f1f1388afc5191f38b445b41bedef4b2e5eb17c3fa00b1117aad7deabc8 |
|
| MD5 | 979cd4f69559261354a3b95364d5b634 |
|
| BLAKE2b-256 | b49f7b0b5e04a5f500777e8ebb4635c8b6162b97bab1d6bb022fceab567a58be |
Hashes for pyscan_rs-0.1.5-py3-none-win32.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | effac8ebb192b8c9b9a13047f7f9ede7384442fa57699bec4ead3ca223f1dd13 |
|
| MD5 | e722176ee8ae3289a1c49e93e22f98be |
|
| BLAKE2b-256 | 170e07d0bc7a3aff0dfead3be1d6d0da13437eed40f9a1f477a669f75e7f89fc |
Hashes for pyscan_rs-0.1.5-py3-none-macosx_11_0_arm64.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 1beee54595b10557524c724e638d19efb06a2d741f08dfd9013762358f2beafa |
|
| MD5 | 8127c87fdea118e1c6cd31e66638166d |
|
| BLAKE2b-256 | 4937edff1f3080223f82cc2163ac6a0108daf3ee0a84b841dbc744284d08b699 |
Hashes for pyscan_rs-0.1.5-py3-none-macosx_10_7_x86_64.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 57467cb6f84e36b3f1f0c2199609a5e7c7d9a654405703016b2d4d17b78f1b74 |
|
| MD5 | 2f4d0e5e759bc61a223dbbd8bad36135 |
|
| BLAKE2b-256 | 87f94e1fcfd9b0c39492452d94ddc03c915a679bba39bea562146999b9b56cb2 |
