pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-db) via the PyPI JSON API as a source of vulnerability reports.

This project is developed by Trail of Bits with support from Google. This is not an official Google product.

Features

• Support for auditing local environments and requirements-style files
• Support for multiple vulnerability services (PyPI, OSV)
• Support for emitting SBOMs in CycloneDX XML or JSON
• Human and machine-readable output formats (columnar, JSON)
• Seamlessly reuses your existing local pip caches