Safety checks your installed dependencies for known security vulnerabilities

Overview

safety

PyPi Travis Updates

Safety checks your installed dependencies for known security vulnerabilities.

By default it uses the open Python vulnerability database Safety DB, but can be upgraded to use pyup.io's Safety API using the --key option.

Installation

Install safety with pip. Keep in mind that we support only Python 3.5 and up. Look at Python 2.7 section at the end of this document.

pip install safety

Usage

To check your currently selected virtual environment for dependencies with known security vulnerabilites, run:

safety check

You should get a report similar to this:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+==============================================================================+
| No known security vulnerabilities found.                                     |
+==============================================================================+

Now, let's install something insecure:

pip install insecure-package

Yeah, you can really install that.

Run safety check again:

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+==========================+===============+===================+===============+
| package                  | installed     | affected          | source        |
+==========================+===============+===================+===============+
| insecure-package         | 0.1.0         | <0.2.0            | changelog     |
+==========================+===============+===================+===============+

Examples

Read requirement files

Just like pip, Safety is able to read local requirement files:

safety check -r requirements.txt

Read from stdin

Safety is also able to read from stdin with the --stdin flag set.

To check a local requirements file, run:

cat requirements.txt | safety check --stdin

or the output of pip freeze:

pip freeze | safety check --stdin

or to check a single package:

echo "insecure-package==0.1" | safety check --stdin

For more examples, take a look at the options section.

Scan a Python-based Docker image

To scan a docker image IMAGE_TAG, you can run

docker run -it --rm ${IMAGE_TAG} "/bin/bash -c \"pip install safety && safety check\"

Using Safety in Docker

Safety can be easily executed as Docker container. It can be used just as described in the examples section.

echo "insecure-package==0.1" | docker run -i --rm pyupio/safety safety check --stdin
cat requirements.txt | docker run -i --rm pyupio/safety safety check --stdin

Using the Safety binaries

The Safety binaries provide some extra security.

After installation, they can be used just like the regular command line version of Safety.

Using Safety with a CI service

Safety works great in your CI pipeline. It returns a non-zero exit status if it finds a vulnerability.

Run it before or after your tests. If Safety finds something, your tests will fail.

Travis

install:
  - pip install safety

script:
  - safety check

Gitlab CI

safety:
  script:
    - pip install safety
    - safety check

Tox

[tox]
envlist = py37

[testenv]
deps =
    safety
    pytest
commands =
    safety check
    pytest

Deep GitHub Integration

If you are looking for a deep integration with your GitHub repositories: Safety is available as a part of pyup.io, called Safety CI. Safety CI checks your commits and pull requests for dependencies with known security vulnerabilities and displays a status on GitHub.

Safety CI

Using Safety in production

Safety is free and open source (MIT Licensed). The underlying open vulnerability database is updated once per month.

To get access to all vulnerabilites as soon as they are added, you need a Safety API key that comes with a paid pyup.io account, starting at $99.

Options

--key

API Key for pyup.io's vulnerability database. Can be set as SAFETY_API_KEY environment variable.

Example

safety check --key=12345-ABCDEFGH

--db

Path to a directory with a local vulnerability database including insecure.json and insecure_full.json

Example

safety check --db=/home/safety-db/data

--proxy-host

Proxy host IP or DNS

--proxy-port

Proxy port number

--proxy-protocol

Proxy protocol (https or http)


--json

Output vulnerabilities in JSON format.

Example

safety check --json
[
    [
        "django",
        "<1.2.2",
        "1.2",
        "Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via a csrfmiddlewaretoken (aka csrf_token) cookie.",
        "25701"
    ]
]

--full-report

Full reports includes a security advisory. It also shows CVSS values for CVEs (requires a premium PyUp subscription).

Example

safety check --full-report
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| CVSS v2 | BASE SCORE: 6.5 | IMPACT SCORE: 6.4                                |
+============================+===========+==========================+==========+
| django                     | 1.2       | <1.2.2                   | 25701    |
+==============================================================================+
| Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows |
|  remote attackers to inject arbitrary web script or HTML via a csrfmiddlewar |
| etoken (aka csrf_token) cookie.                                              |
+==============================================================================+

--bare

Output vulnerable packages only. Useful in combination with other tools.

Example

safety check --bare
cryptography django

--cache

Cache requests to the vulnerability database locally for 2 hours.

Example

safety check --cache

--stdin

Read input from stdin.

Example

cat requirements.txt | safety check --stdin
pip freeze | safety check --stdin
echo "insecure-package==0.1" | safety check --stdin

--file, -r

Read input from one (or multiple) requirement files.

Example

safety check -r requirements.txt
safety check --file=requirements.txt
safety check -r req_dev.txt -r req_prod.txt

--ignore, -i

Ignore one (or multiple) vulnerabilities by ID

Example

safety check -i 1234
safety check --ignore=1234
safety check -i 1234 -i 4567 -i 89101

--output, -o

Save the report to a file

Example

safety check -o insecure_report.txt
safety check --output --json insecure_report.json

Review

If you save the report in JSON format you can review in the report format again.

Options

--file, -f (REQUIRED)

Read an insecure report.

Example

safety review -f insecure.json
safety review --file=insecure.json

--full-report

Full reports include a security advisory (if available).

Example

safety review -r insecure.json --full-report
+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| REPORT                                                                       |
+============================+===========+==========================+==========+
| package                    | installed | affected                 | ID       |
+============================+===========+==========================+==========+
| django                     | 1.2       | <1.2.2                   | 25701    |
+==============================================================================+
| Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows |
|  remote attackers to inject arbitrary web script or HTML via a csrfmiddlewar |
| etoken (aka csrf_token) cookie.                                              |
+==============================================================================+

--bare

Output vulnerable packages only.

Example

safety review --file report.json --bare
django

License

Display packages licenses information (requires a premium PyUp subscription).

Options

--key (REQUIRED)

API Key for pyup.io's licenses database. Can be set as SAFETY_API_KEY environment variable.

Example

safety license --key=12345-ABCDEFGH

Shows the license of each package in the current environment

+==============================================================================+
|                                                                              |
|                               /$$$$$$            /$$                         |
|                              /$$__  $$          | $$                         |
|           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
|          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
|         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
|          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
|          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
|         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
|                                                          /$$  | $$           |
|                                                         |  $$$$$$/           |
|  by pyup.io                                              \______/            |
|                                                                              |
+==============================================================================+
| Packages licenses                                                            |
+=============================================+===========+====================+
| package                                     |  version  | license            |
+=============================================+===========+====================+
| requests                                    | 2.25.0    | Apache-2.0         |
|------------------------------------------------------------------------------|
| click                                       | 7.1.2     | BSD-3-Clause       |
|------------------------------------------------------------------------------|
| safety                                      | 1.10.0    | MIT                |
+==============================================================================+

--db

Path to a directory with a local licenses database licenses.json

Example

safety license --key=12345-ABCDEFGH --db=/home/safety-db/data

--no-cache

Since PyUp.io licenses DB is updated once a week, the licenses database is cached locally for 7 days. You can use --no-cache to download it once again.

Example

safety license --key=12345-ABCDEFGH --no-cache

--file, -r

Read input from one (or multiple) requirement files.

Example

safety license --key=12345-ABCDEFGH -r requirements.txt
safety license --key=12345-ABCDEFGH --file=requirements.txt
safety license --key=12345-ABCDEFGH -r req_dev.txt -r req_prod.txt

--proxy-host, -ph

Proxy host IP or DNS

--proxy-port, -pp

Proxy port number

--proxy-protocol, -pr

Proxy protocol (https or http)

Example

safety license --key=12345-ABCDEFGH -ph 127.0.0.1 -pp 8080 -pr https

Python 2.7

This tool requires latest Python patch versions starting with version 3.5. We did support Python 2.7 in the past but, as for other Python 3.x minor versions, it reached its End-Of-Life and as such we are not able to support it anymore.

We understand you might still have Python 2.7 projects running. At the same time, Safety itself has a commitment to encourage developers to keep their software up-to-date, and it would not make sense for us to work with officially unsupported Python versions, or even those that reached their end of life.

If you still need to run Safety from a Python 2.7 environment, please use version 1.8.7 available at PyPi. Alternatively, you can run Safety from a Python 3 environment to check the requirements file for your Python 2.7 project.

Issues
  • UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>

    UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to

    • safety version: 1.7.0
    • Python version: Python 3.6.1
    • Operating System: Windows-10-10.0.16299-SP0, AMD64

    Description

    • Trying to use safety check
    • Same error always results: UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>

    What I Did

    safety check -r simple-requirements.txt
    

    Contents of simple-requirements.txt

    safety
    
    • There are absolutely no unicode characters in this file

    Traceback

    $ safety check -r simple-requirements.txt
    Warning: unpinned requirement 'safety' found in simple-requirements.txt, unable to check.
    Traceback (most recent call last):
      File "c:\users\nicholas\appdata\local\programs\python\python36\Lib\runpy.py", line 193, in _run_module_as_main
        "__main__", mod_spec)
      File "c:\users\nicholas\appdata\local\programs\python\python36\Lib\runpy.py", line 85, in _run_code
        exec(code, run_globals)
      File "C:\Users\nicholas\.virtualenvs\pybotics-d30fj9Hx\Scripts\safety.exe\__main__.py", line 9, in <module>
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 722, in __call__
        return self.main(*args, **kwargs)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 697, in main
        rv = self.invoke(ctx)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 1066, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 895, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\core.py", line 535, in invoke
        return callback(*args, **kwargs)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\safety\cli.py", line 66, in check
        key=key
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\termui.py", line 420, in secho
        return echo(style(text, **styles), file=file, nl=nl, err=err, color=color)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\site-packages\click\utils.py", line 259, in echo
        file.write(message)
      File "c:\users\nicholas\.virtualenvs\pybotics-d30fj9hx\lib\encodings\cp1252.py", line 19, in encode
        return codecs.charmap_encode(input,self.errors,encoding_table)[0]
    UnicodeEncodeError: 'charmap' codec can't encode characters in position 0-79: character maps to <undefined>
    

    Similar Issues

    • https://github.com/pyupio/safety/issues/22
    bug 
    opened by nnadeau 14
  • Support for URLs in input requirements.txt files

    Support for URLs in input requirements.txt files

    Hi,

    This is a feature request.

    Lets start by stating that, following the spec, URLs to tarballs are part of the requirements file format https://pip.readthedocs.io/en/1.1/requirements.html#requirements-file-format

    Now, the pkg_resources.parse_requirements function used by safety does not support them: https://github.com/pypa/setuptools/blob/master/pkg_resources/init.py#L2850 It raises a RequirementParseError: Invalid requirement, parse error.

    I had a look at how they handle this in pip, and it's ugly: https://github.com/pypa/pip/blob/master/pip/req/req_set.py#L690

    pip-tools does not support them. It actually crashes in a bad way if you try so: https://github.com/nvie/pip-tools/issues/416

    By the way, URLs to tarball specified as editable requirements (with -e) work fine: curiously pkg_resources.parse_requirements handle them perfectly well.

    What do you think ? Should safety handle them ?

    opened by Lucas-C 14
  • Issue with GitHub integration

    Issue with GitHub integration

    • safety version: GitHub integration
    • Python version: 2.7.x
    • Operating System:

    Description

    We have an status integrated for varryfying each PR going into the master branch.

    I now encounter that this status is Pending for over 12 hours.

    Is there currently a server issue or am I doing something wrong with the integration?

    bug 
    opened by chgad 13
  • False positive for numpy

    False positive for numpy

    • safety version: 1.10.3
    • Python version: 3.8.12
    • Operating System: Ubuntu 20.04.3 LTS

    Description

    Ran safety against the latest update and got a report of a failure on numpy, despite being on 1.22.1.

    In the free safety DB, the values for numpy are expressed as:

    "numpy": [
            "<1.13.2",
            "<1.16.3",
            "<1.21.0",
            "<1.22.0",
            "<1.8.1",
            ">0"
        ],
    

    I'm not sure why >0 was added in the February release, but it seems to be causing this problem

    What I Did

    2022-02-01T15:10:46.7671452Z +==============================================================================+
    2022-02-01T15:10:46.7677519Z |                                                                              |
    2022-02-01T15:10:46.7726508Z |                               /$$$$$$            /$$                         |
    2022-02-01T15:10:46.7726760Z |                              /$$__  $$          | $$                         |
    2022-02-01T15:10:46.7727062Z |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
    2022-02-01T15:10:46.7727279Z |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
    2022-02-01T15:10:46.7727504Z |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
    2022-02-01T15:10:46.7727745Z |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
    2022-02-01T15:10:46.7727979Z |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
    2022-02-01T15:10:46.7728200Z |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
    2022-02-01T15:10:46.7728430Z |                                                          /$$  | $$           |
    2022-02-01T15:10:46.7728651Z |                                                         |  $$$$$$/           |
    2022-02-01T15:10:46.7728876Z |  by pyup.io                                              \______/            |
    2022-02-01T15:10:46.7729111Z |                                                                              |
    2022-02-01T15:10:46.7729338Z +==============================================================================+
    2022-02-01T15:10:46.7729569Z | REPORT                                                                       |
    2022-02-01T15:10:46.7729828Z | checked 147 packages, using free DB (updated once a month)                   |
    2022-02-01T15:10:46.7730086Z +============================+===========+==========================+==========+
    2022-02-01T15:10:46.7730332Z | package                    | installed | affected                 | ID       |
    2022-02-01T15:10:46.7730578Z +============================+===========+==========================+==========+
    2022-02-01T15:10:46.7730786Z | numpy                      | 1.22.1    | >0                       | 44715    |
    2022-02-01T15:10:46.7731010Z +==============================================================================+
    
    opened by nbhargava 11
  • Fix get_terminal_size on Python 2.7 for Windows

    Fix get_terminal_size on Python 2.7 for Windows

    The code was correctly trapping FileNotFoundError for the case where stty is not available on Windows. However, on Python 2.7, the exception raised by subprocess.check_output() is WindowsError, a subclass of OSError.

    Fixes #65.

    opened by AndreLouisCaron 8
  • pre-commit hook

    pre-commit hook

    Hi,

    This is just to let you know that I developped a pre-commit hook based on your lib: https://github.com/Lucas-C/pre-commit-hooks-safety

    It is not yet fully functional : a small limitation in pre-commit is a blocker, but I intend to fix it in this issue: https://github.com/pre-commit/pre-commit/issues/426

    opened by Lucas-C 8
  • Packaging improvements

    Packaging improvements

    • Use 'io' package as a more reliable way of opening files on Windows in Python 2.7
    • Add python_requires, which helps pip determine if the package is compatible with the version of Python.
    • Change development status to "Production/Stable" in PyPI classifiers
    • Cleanup and formatting of setup.py
    opened by GhostofGoes 7
  • Dockerise safety

    Dockerise safety

    Description

    Dockerise the safety command/tool to make it easier to be used in local development and within CI/CD pipelines.

    What I Did

    Here's a copy of my Dockerfile that I used to do this locally, it may be valuable to others (or if someone wants to PR it back into master):

    FROM ubuntu:18.04
    
    ENV LC_ALL=C.UTF-8
    ENV LANG=C.UTF-8
    
    RUN apt-get -qy update && \
        apt-get -qy install python3-pip python-dev build-essential && \
        pip3 install safety && \
        apt-get -qy clean && \
        rm -rf /var/lib/apt/lists/* && \
        rm -rf /tmp/*
    
    ENTRYPOINT ["/usr/local/bin/safety"]
    

    Then you can simply run a command as per the README.md, like so:

    echo "insecure-package==0.1" | docker run --rm docker-pyup-safety check --stdin

    opened by o6uoq 7
  • pip 10 api breakage

    pip 10 api breakage

    Quoting distutils-sig:

    We're in the process of starting to plan for a release of pip (the long-awaited pip 10). We're likely still a month or two away from a release, but now is the time for people to start ensuring that everything works for them. One key change in the new version will be that all of the internal APIs of pip will no longer be available, so any code that currently calls functions in the "pip" namespace will break. Calling pip's internal APIs has never been supported, and always carried a risk of such breakage, so projects doing so should, in theory, be prepared for such things. However, reality is not always that simple, and we are aware that people will need time to deal with the implications.

    Just in case it's not clear, simply finding where the internal APIs have moved to and calling them under the new names is not what people should do. We can't stop people calling the internal APIs, obviously, but the idea of this change is to give people the incentive to find a supported approach, not just to annoy people who are doing things we don't want them to ;-)

    So please - if you're calling pip's internals in your code, take the opportunity now to check out the in-development version of pip, and ensure your project will still work when pip 10 is released.

    And many thanks to anyone else who helps by testing out the new version, as well :-)

    Thanks, Paul


    Safety uses pip.get_installed_distributions which has moved to https://github.com/pypa/pip/blob/master/src/pip/_internal/utils/misc.py#L333

    opened by jayfk 7
  • TypeError when executing with --full-report

    TypeError when executing with --full-report

    • safety version:1.8.2
    • Python version: 3.6.5
    • Operating System: linux (ubuntu)

    Description

    Whenever safety is run with --full-report and tries to report an issue it will abort with TypeError: unsupported format string passed to bytes.__format__

    What I Did

    $ virtualenv -p /usr/bin/python3.6 test1
    Running virtualenv with interpreter /usr/bin/python3.6
    Using base prefix '/usr'
    New python executable in /home/someuser/repos/mercury/test1/bin/python3.6
    Also creating executable in /home/someuser/repos/mercury/test1/bin/python
    Installing setuptools, pip, wheel...done.
    $ source test1/bin/activate
    (test1) $  pip install safety pyyaml
    Collecting safety
      Using cached https://files.pythonhosted.org/packages/20/58/701d0b61562a63b7f0008bcfd673617b277ddaa2cde217a398f82c146cd4/safety-1.8.2-py2.py3-none-any.whl
    Collecting pyyaml
      Downloading https://files.pythonhosted.org/packages/9e/a3/1d13970c3f36777c583f136c136f804d70f500168edc1edea6daa7200769/PyYAML-3.13.tar.gz (270kB)
        100% |████████████████████████████████| 276kB 7.3MB/s
    Collecting dparse>=0.4.1 (from safety)
    Collecting packaging (from safety)
      Using cached https://files.pythonhosted.org/packages/ad/c2/b500ea05d5f9f361a562f089fc91f77ed3b4783e13a08a3daf82069b1224/packaging-17.1-py2.py3-none-any.whl
    Collecting requests (from safety)
      Downloading https://files.pythonhosted.org/packages/65/47/7e02164a2a3db50ed6d8a6ab1d6d60b69c4c3fdf57a284257925dfc12bda/requests-2.19.1-py2.py3-none-any.whl (91kB)
        100% |████████████████████████████████| 92kB 7.6MB/s
    Collecting Click>=6.0 (from safety)
      Using cached https://files.pythonhosted.org/packages/34/c1/8806f99713ddb993c5366c362b2f908f18269f8d792aff1abfd700775a77/click-6.7-py2.py3-none-any.whl
    Requirement already satisfied: pip in ./test1/lib/python3.6/site-packages (from safety) (10.0.1)
    Collecting six (from dparse>=0.4.1->safety)
      Using cached https://files.pythonhosted.org/packages/67/4b/141a581104b1f6397bfa78ac9d43d8ad29a7ca43ea90a2d863fe3056e86a/six-1.11.0-py2.py3-none-any.whl
    Collecting pyparsing>=2.0.2 (from packaging->safety)
      Using cached https://files.pythonhosted.org/packages/6a/8a/718fd7d3458f9fab8e67186b00abdd345b639976bc7fb3ae722e1b026a50/pyparsing-2.2.0-py2.py3-none-any.whl
    Collecting certifi>=2017.4.17 (from requests->safety)
      Using cached https://files.pythonhosted.org/packages/7c/e6/92ad559b7192d846975fc916b65f667c7b8c3a32bea7372340bfe9a15fa5/certifi-2018.4.16-py2.py3-none-any.whl
    Collecting idna<2.8,>=2.5 (from requests->safety)
      Downloading https://files.pythonhosted.org/packages/4b/2a/0276479a4b3caeb8a8c1af2f8e4355746a97fab05a372e4a2c6a6b876165/idna-2.7-py2.py3-none-any.whl (58kB)
        100% |████████████████████████████████| 61kB 9.1MB/s
    Collecting urllib3<1.24,>=1.21.1 (from requests->safety)
      Downloading https://files.pythonhosted.org/packages/bd/c9/6fdd990019071a4a32a5e7cb78a1d92c53851ef4f56f62a3486e6a7d8ffb/urllib3-1.23-py2.py3-none-any.whl (133kB)
        100% |████████████████████████████████| 143kB 7.9MB/s
    Collecting chardet<3.1.0,>=3.0.2 (from requests->safety)
      Using cached https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl
    Building wheels for collected packages: pyyaml
      Running setup.py bdist_wheel for pyyaml ... done
      Stored in directory: /home/someuser/.cache/pip/wheels/ad/da/0c/74eb680767247273e2cf2723482cb9c924fe70af57c334513f
    Successfully built pyyaml
    Installing collected packages: pyyaml, pyparsing, six, packaging, dparse, certifi, idna, urllib3, chardet, requests, Click, safety
    Successfully installed Click-6.7 certifi-2018.4.16 chardet-3.0.4 dparse-0.4.1 idna-2.7 packaging-17.1 pyparsing-2.2.0 pyyaml-3.13 requests-2.19.1 safety-1.8.2 six-1.11.0 urllib3-1.23
    $ safety check --key="my-paid-key"
    ╒══════════════════════════════════════════════════════════════════════════════╕
    │                                                                              │
    │                               /$$$$$$            /$$                         │
    │                              /$$__  $$          | $$                         │
    │           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           │
    │          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           │
    │         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           │
    │          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           │
    │          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           │
    │         |_______/  \_______/|__/     \_______/   \___/   \____  $$           │
    │                                                          /$$  | $$           │
    │                                                         |  $$$$$$/           │
    │  by pyup.io                                              \______/            │
    │                                                                              │
    ╞══════════════════════════════════════════════════════════════════════════════╡
    │ REPORT                                                                       │
    │ checked 15 packages, using pyup.io's DB                                      │
    ╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
    │ package                    │ installed │ affected                 │ ID       │
    ╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
    │ pyyaml                     │ 3.13      │ <4                       │ 36333    │
    ╘══════════════════════════════════════════════════════════════════════════════╛
    $ safety check --full-report --key="my-paid-key"
    Traceback (most recent call last):
      File "/home/someuser/repos/mercury/test1/bin/safety", line 11, in <module>
        sys.exit(cli())
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 722, in __call__
        return self.main(*args, **kwargs)
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 697, in main
        rv = self.invoke(ctx)
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 1066, in invoke
        return _process_result(sub_ctx.command.invoke(sub_ctx))
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 895, in invoke
        return ctx.invoke(self.callback, **ctx.params)
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/click/core.py", line 535, in invoke
        return callback(*args, **kwargs)
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/safety/cli.py", line 71, in check
        key=key
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/safety/formatter.py", line 196, in report
        return SheetReport.render(vulns, full=full, checked_packages=checked_packages, used_db=used_db)
      File "/home/someuser/repos/mercury/test1/lib/python3.6/site-packages/safety/formatter.py", line 116, in render
        table.append("│ {:76} │".format(line.encode('utf-8')))
    TypeError: unsupported format string passed to bytes.__format__
    
    
    bug 
    opened by JochenABC 6
  • Input filenames instead of --stdin

    Input filenames instead of --stdin

    --stdin is rather inflexible in that it requires a shell or other means of piping data to the executable.

    I'm proposing a --input-file which works similarly but obsoletes --stdin

    cat requirements.txt | safety --stdin becomes safety -- requirements.txt

    echo 'x==1' | safety --stdin becomes echo 'x==1' | safety -- /dev/stdin

    etc.

    opened by asottile 6
  • Is 2.0 out or not?

    Is 2.0 out or not?

    Description

    I have safety as a dependency tracked by pyup on this repo: https://github.com/pzelnip/depwatch/pull/459

    Today it opened a PR saying to upgrade safety to 2.0.

    2.0 appears to be released on Pypi: https://pypi.org/project/safety/2.0.0/

    2.0 does not appear to be released looking at the release history: https://pyup.io/changelogs/safety/ or https://github.com/pyupio/safety/releases

    Is 2.0 final now officially released and safe to use, or is this an error/accidentally uploaded to pypi by mistake?

    opened by pzelnip 0
  • Using local repository

    Using local repository

    • safety version: latest
    • Python version: 3.7
    • Operating System: alpine docker

    Description

    I have a local pypi repository, can I use it offline when working with safety?

    What I Did

    offline runner: `Connection to pypi.org timed out. (connect timeout=15)')': /simple/safety/`
    
    opened by itsecforu 0
  • Build and release an arm64 version of safety

    Build and release an arm64 version of safety

    • safety version: 1.10.3
    • Python version: Any
    • Operating System: Mac and Linux

    Description

    I would like to get a native build of safety for the arm64/aarch64 architecture and the Mac and Linux OSs.

    But the current releases are only for the amd64/x86_64 architectures.

    hadolint/hadolint#411 has some possibly relevant discussions.

    opened by proinsias 0
  • Adding support for an

    Adding support for an "ignore file" Issue #351

    Here is a first draft of an implementation of an "ignore file" The ignore file consists of lines with vulnerability IDs followed optionally by an expiration date after which the vulnerability will no longer be ignored. It also supports comments in the file using a # mark. The command line option is -f or --ignore-file. Additional details are in the update I made to the README.md.

    My apologies for modifying the whitespace in a few lines. That was done by my editor and I didn't realize it until after the commit.

    opened by albertcrowley 0
  • Update README.md

    Update README.md

    If you attempt to run the command safety check --output --json insecure_report.json given in the README it fails due to --output expecting a filename where --json is then given and insecure_report.json is now an unknown parameter. Running the --json flag first then --output with insecure_report.json allows the command to run correctly.

    opened by ed-wright 1
Releases(2.0.0)
A Static Analysis Tool for Detecting Security Vulnerabilities in Python Web Applications

This project is no longer maintained March 2020 Update: Please go see the amazing Pysa tutorial that should get you up to speed finding security vulne

null 2.1k Jun 18, 2022
Bug Alert: a service for alerting security and IT professionals of high-impact and 0day vulnerabilities

Bug Alert Bug Alert is a service for alerting security and IT professionals of h

BugAlert.org 200 Jun 24, 2022
A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities

master_librarian A simple tool to audit Unix/*BSD/Linux system libraries to find public security vulnerabilities. To install requirements: $ sudo pyth

CoolerVoid 161 May 12, 2022
this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows and macos

Keylogger this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows a

Titan_Exodous 1 Nov 4, 2021
A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

James 34 Jun 14, 2022
Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Security-TXT is a python package for retrieving, parsing and manipulating security.txt files.

Frank 3 Feb 7, 2022
RedTeam-Security - In this repo you will get the information of Red Team Security related links

OSINT Passive Discovery Amass - https://github.com/OWASP/Amass (Attack Surface M

Abhinav Pathak 5 May 18, 2022
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 38 Apr 29, 2022
SCodeScanner stands for Source Code scanner where the user can scans the source code for finding the Critical Vulnerabilities.

The SCodeScanner stands for Source Code Scanner, where you can scan your source code files like PHP and get identify the vulnerabilities inside it. The tool can use by Pentester, Developer to quickly identify the weakness.

null 68 Jun 18, 2022
Recon is a script to perform a full recon on a target with the main tools to search for vulnerabilities.

?? Recon ?? The step of recognizing a target in both Bug Bounties and Pentest can be very time-consuming. Thinking about it, I decided to create my ow

Dirso 160 Jun 27, 2022
CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain device credentials.

EntySec 106 Jun 13, 2022
SSRF search vulnerabilities exploitation extended.

This tool search for SSRF using predefined settings in different parts of a request (path, host, headers, post and get parameters).

Andri Wahyudi 13 Jul 4, 2021
WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities

WebScan is a web vulnerability Scanning tool, which scans sites for SQL injection and XSS vulnerabilities Which is a great tool for web pentesters. Coded in python3, CLI. WebScan is capable of scanning and detecting sql injection vulnerabilities across HTTP and HTTP sites.

AnonyminHack5 5 Feb 24, 2022
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

null 27 Jun 17, 2022
A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence of a file

A script based on sqlmap that uses sql injection vulnerabilities to traverse the existence o

null 3 Dec 15, 2021
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than Firmware Slap.

Christopher Roberts 3 Nov 16, 2021
Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities

Sqli-Scanner is a python3 script written to scan websites for SQL injection vulnerabilities Features 1 Scan one website 2 Scan multiple websites Insta

Anontemitayo 4 Jun 20, 2022
A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities

Shodan Quick Recon A Python Tool that uses Shodan API's to perform quick recon for vulnerabilities Configuration You must edit the python code, and in

Black Hat Ethical Hacking 6 Dec 9, 2021