Safety is an open source Python package and command line tool for checking Python code dependencies for known security vulnerabilities against its own “Safety-DB” Python vulnerability database.
Safety can be used to check for Python vulnerabilities in:
- Virtual and nonvirtual environments
- Packages contained in a requirements.txt file
- Standard input from a specified resource using the –stdin flag
- Python-based Docker images
- GitHub repositories by integrating the Safety CI online tool with your Github account
- Django applications using Safety Django
Note that if you use pipenv check, it relies on Safety to check for known vulnerabilities in components locked by pipenv.
Safety Installation Prerequisites
Safety is compatible with Python 3.5+ from python.org. Pip/pip3 is the official package manager for Python, and is the recommended tool for installing Python packages.
To check if Safety is already installed and up-to-date, run the following command:
python -m pip show safety
Output should be similar to:
Name: safety Version: 1.10.3 Summary: Checks installed dependencies for known vulnerabilities. Home-page: https://github.com/pyupio/safety Author: pyup.io
…
Safety Installation
Safety can be installed on Linux, MacOS, and the Windows operating systems using pip by running the following command:
pip install safety
or
python -m pip install safety
To upgrade Safety to the latest version, enter:
pip install --upgrade safety
To install a specific version of Safety, eg. version 1.10.2, enter:
pip install requests==1.10.2
Once Safety is installed, you can run the safety check command to check the current directory:
safety check
Output should be similar to:
safety report checked 42 packages, using free DB (updated once a month) --- -> pylint, installed 2.5.3, affected <2.7.0, id 39621 -> aiohttp, installed 3.6.2, affected <3.7.4, id 39659 -> urllib3, installed 1.25.8, affected <1.25.9, id 38834 ...
Install Safety-DB
Safety-DB is a Python package vulnerability database. Safety-DB is updated once a month by syncing with the Safety-db repository in Github. Most of the entries in the database are found by filtering Common Vulnerabilities and Exposures (CVEs) and changelogs for certain keywords. Safety-DB is available from PyPI.
The Safety-DB package requires a separate installation from Safety, and can be installed with the following command:
pip install safety-db
Use Safety to Check Stdin
Safety is able to read from sys.stdin input using the –stdin flag. For example, to check a local requirements.txt file using the –stdin flag, enter:
Linux:
cat requirements.txt | safety check --stdin
Windows:
Echo requirements.txt | safety check --stdin
To safety check the output of pip freeze:
pip freeze | safety check --stdin
To safety check a particular package version, whether that package is installed in your system or not, enter:
echo "<package_name>==<version#>" | safety check --stdin
Use Safety to Check Docker
To safety check a requirements.txt file, enter:
safety check -r requirements.txt
To safety check a requirements.txt file in a Docker image:
Linux:
cat requirements.txt | docker run -i --rm pyupio/safety safety check --stdin
To safety check a Python package in a Docker image:
Windows:
echo "<package_name>==<version#>" | docker run -i --rm pyupio/safety safety check --stdin
A modern solution to Python dependency management and vulnerability remediation – Try ActiveState’s Platform
Dependency resolution is at the core of the ActiveState Platform. When you create a project and start adding requirements, the Platforms tell you what dependencies those requirements have.
The ActiveState Platform is a cloud-based build tool for Python. It provides build automation and vulnerability remediation for:
- Python language cores, including Python 2.7 and Python 3.5+
- Python packages and their dependencies, including:
- Transitive dependencies (ie., dependencies of dependencies)
- Linked C and Fortran libraries, so you can build data science packages
- Operating system-level dependencies for Windows, Linux, and macOS
- Shared dependencies (ie., OpenSSL)
- Find, fix and automatically rebuild a secure version of Python packages like Django and environments in minutes
The ActiveState Platform aims to handle every dependency for every language. That means handling libraries down to the C/C++ level, external tools, and all the conditional dependencies that exist. To take things even further, our ultimate goal is to support multi-language projects. That means that you can create a project using both Python and Perl packages, and we’ll make sure that both languages are using the same (up to date) OpenSSL version.
Python Dependency Management In Action
Get a hands-on appreciation for how the ActiveState Platform can help you manage your dependencies for Python environments. Just run the following command to install Python 3.9 and our package manager, the State Tool:
Windows
powershell -Command "& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString('https://platform.www.activestate.com/dl/cli/install.ps1'))) -activate-default ActiveState-Labs/Python-3.9Beta"Linux
sh <(curl -q https://platform.www.activestate.com/dl/cli/install.sh) --activate-default ActiveState-Labs/Python-3.9Beta
Now you can run state install <packagename>. Learn more about how to use the State Tool to manage your Python environment.
Let us know your experience in the ActiveState Community forum.
Watch this video to learn how to use the ActiveState Platform to create a Python 3.9 environment, and then use the Platform’s CLI (State Tool) to install and manage it.
Watch this video to see how the Platform can be used to FIND and FIX vulnerabilities in your Python and Perl environments.
