CLI tool to check requirements.txt for vulnerabilities using NVD API
Project description
secure-req-check
A command‑line tool to scan Python requirements.txt files for known security vulnerabilities using the NVD (National Vulnerability Database) API.
Features
- Fast scanning of
requirements.txtwith exact version matching (package==version). - Direct integration with NVD REST API – no local vulnerability database required.
- Flexible output formats: table, JSON, CSV.
- Severity filtering – show only LOW, MEDIUM, HIGH, or CRITICAL findings.
- Caching – reduces API calls and speeds up repeated scans.
- CI/CD ready – returns non‑zero exit code when vulnerabilities are found.
- Optional NVD API key support for higher rate limits.
Installation
From PyPI (recommended)
pip install secure-req-check
From source
git clone https://github.com/yourusername/secure-req-check.git
cd secure-req-check
pip install .
Quick Start
-
Navigate to a directory containing a
requirements.txtfile (or create one). -
Run the scanner:
secure-req-check scan -
Review the table of discovered vulnerabilities.
Usage
Scan Command
secure-req-check scan [OPTIONS] [REQUIREMENTS_FILE]
| Option | Description |
|---|---|
-f, --file PATH |
Path to requirements.txt (default: ./requirements.txt) |
-o, --output [table|json|csv|quiet] |
Output format (default: table) |
--output-file PATH |
Write report to a file instead of stdout |
--severity [LOW|MEDIUM|HIGH|CRITICAL] |
Minimum severity level to display |
--ignore-cve TEXT |
Ignore a specific CVE (repeatable) |
--ignore-package TEXT |
Ignore a package entirely (repeatable) |
--no-cache |
Disable local cache – always query the NVD API |
--timeout INTEGER |
Request timeout in seconds (default: 30) |
--verbose |
Print detailed progress information |
Configuration Commands
secure-req-check config set-api-key YOUR_NVD_API_KEY # Store API key
secure-req-check config show # Display current settings
secure-req-check config clear-cache # Remove all cached responses
The API key can also be provided via the environment variable NVD_API_KEY.
Obtaining an NVD API Key
Public API requests are limited to 5 calls per 30 seconds.
To increase this limit to 50 calls per 30 seconds, request a free API key at:
https://nvd.nist.gov/developers/request-an-api-key
Example Output
Table Format (default)
$ secure-req-check scan -f requirements.txt
+-----------+---------+----------------+------------+---------------------------------------------+
| Package | Version | CVE ID | Severity | Description |
+===========+=========+================+============+=============================================+
| django | 3.2.12 | CVE-2022-28346 | CRITICAL | SQL injection vulnerability in QuerySet... |
| pillow | 8.4.0 | CVE-2022-22817 | HIGH | Buffer overflow in path handling... |
+-----------+---------+----------------+------------+---------------------------------------------+
⚠️ Found 2 vulnerabilities (CRITICAL: 1, HIGH: 1)
💡 Consider upgrading affected packages.
JSON Output
secure-req-check scan -o json --output-file report.json
Quiet Mode for CI
secure-req-check scan --severity HIGH --output quiet
# Returns exit code 1 if any HIGH or CRITICAL vulnerabilities are present.
Caching
By default, API responses are cached in ~/.cache/secure-req-check/ for 24 hours.
Use --no-cache to force a fresh lookup, or secure-req-check config clear-cache to remove all cached data.
CI/CD Integration
The tool exits with code 1 when at least one vulnerability is found. This behaviour makes it easy to block pipelines:
# GitLab CI example
security_scan:
script:
- pip install secure-req-check
- secure-req-check scan --severity HIGH --output quiet
Limitations
- Currently supports only
package==versionsyntax. Ranges (e.g.,>=) are partially supported – the tool extracts a minimum version. - Vendor mapping for CPE generation is based on a small built‑in list. If a package cannot be matched, you may see
N/Ain the output.
Development
git clone https://github.com/yourusername/secure-req-check.git
cd secure-req-check
python -m venv venv
source venv/bin/activate
pip install -e .[dev]
pytest
License
This project is licensed under the MIT License – see the LICENSE file for details.
Disclaimer
This tool relies on the accuracy and completeness of the NVD database. It does not guarantee detection of all vulnerabilities and should be used as part of a comprehensive security strategy.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file secure_req_check-0.1.0.tar.gz.
File metadata
- Download URL: secure_req_check-0.1.0.tar.gz
- Upload date:
- Size: 14.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0fa9f63148baecfffd083e7830f727b15729eaae8e8e8950960278309d21c02c
|
|
| MD5 |
9979814c1ff2655c21c50e18e3866af7
|
|
| BLAKE2b-256 |
677ab55fe7703bdafef8eed6906c28ffc16a73e48c9c796b954b2ebcb3d7fdf8
|
File details
Details for the file secure_req_check-0.1.0-py3-none-any.whl.
File metadata
- Download URL: secure_req_check-0.1.0-py3-none-any.whl
- Upload date:
- Size: 14.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0522199a0e231193a46b262890a8e377be3ae2c86b99ec124997e9a53285e0c1
|
|
| MD5 |
558200495523bdb6f2bded43971f44df
|
|
| BLAKE2b-256 |
7f30bb8723fa46664c91c346a52cd6d4f9fafcead839afdba79a0f12bc18c19d
|
