uv-secure

Name	uv-secure JSON
Version	0.1.2 JSON
	download
home_page	None
Summary	Scan your uv.lock file for dependencies with known vulnerabilities
upload_time	2024-12-21 13:06:04
maintainer	None
docs_url	None
author	None
requires_python	>=3.9
license	None
keywords	uv uv.lock vulnerabilities
VCS
bugtrack_url
requirements	No requirements were recorded.
Travis-CI	No Travis.
coveralls test coverage	No coveralls.

            # uv-secure

Scan your uv.lock file for dependencies with known vulnerabilities

## Installation

I recommend installing uv-secure as a uv tool or with pipx as it's intended to be used
as a CLI tool and it probably only makes sense to have one version installed globally.

Installing with uv tool as follows:

```shell
uv tool install uv-secure
```

or with pipx:

```shell
pipx install uv-secure
```

you can optionally install uv-secure as a development dependency in a virtual
environment.

## Usage

After installation you can run uv-secure --help to see the options.

```text
>> uv-secure --help

 Usage: uv-secure [OPTIONS]

 Parse a uv.lock file, check vulnerabilities, and display summary.

╭─ Options ────────────────────────────────────────────────────────────────────────────╮
│ --uv-lock-path        -p      PATH  Path to the uv.lock file [default: uv.lock]      │
│ --ignore              -i      TEXT  Comma-separated list of vulnerability IDs to     │
│                                     ignore, e.g. VULN-123,VULN-456                   │
│ --version                           Show the application's version                   │
│ --install-completion                Install completion for the current shell.        │
│ --show-completion                   Show completion for the current shell, to copy   │
│                                     it or customize the installation.                │
│ --help                              Show this message and exit.                      │
╰──────────────────────────────────────────────────────────────────────────────────────╯
```

By default if run with no options uv-secure will look for a uv.lock file in the current
working directory and scan that for known vulnerabilities. E.g.

```text
>> uv-secure
Checking dependencies for vulnerabilities...
╭───────────────────────────────╮
│ No vulnerabilities detected!  │
│ Checked: 160 dependencies     │
│ All dependencies appear safe! │
╰───────────────────────────────╯
```

## Pre-commit Usage

uv-secure can be run as a pre-commit hook by adding this configuration to your
.pre-commit-config.yaml file:

```yaml
  - repo: https://github.com/owenlamont/uv-secure
    rev: 0.1.1
    hooks:
      - id: uv-secure
```

You should run:

```shell
pre-commit autoupdate
```

Or manually check the latest release and update the _rev_ value accordingly.

The uv-secure pre-commit at present assumes the uv.lock file is in the root directory
from where pre-commit is run.

## Roadmap

Below are some ideas (in no particular order) I have for improving uv-secure:

- Update the command line arguments and pre-commit configuration to support finding and
  testing all uv.lock files.
- Add rate limiting on how hard the PyPi json API is hit to query package
  vulnerabilities (this hasn't been a problem yet but I suspect may be for uv.lock files
  with many dependencies).
- Explore some local caching for recording known vulnerabilities for specific package
  versions to speed up re-runs.
- Add support for other lock file formats beyond uv.lock.
- Add a severity threshold option for reporting vulnerabilities against.
- Add an autofix option for updating package versions with known vulnerabilities if
  is a more recent fixed version.
- Add translations to support languages beyond English (not sure of the merits of this
  given most vulnerability reports appear to be only in English but happy to take
  feedback on this).

## Related Work and Motivation

I created this package as I wanted a dependency vulnerability scanner but I wasn't
completely happy with the options that seemed available. I use
[uv](https://docs.astral.sh/uv/) and wanted something that works with uv.lock files but
neither of the main package options I found fitted my requirements:

- [pip-audit](https://pypi.org/project/pip-audit/) only works with requirements.txt
  files but even if you convert a uv.lock file to a requirements.txt file, pip-audit
  wants to create a whole virtual environment to check all transitive dependencies (but
  that should be completely unnecessary when the lock file already contains the full
  dependencies).
- [safety](https://pypi.org/project/safety/) also doesn't work with uv.lock file out of
  the box, it does apparently work statically without needing to build a virtual
  environment but it does require you to create an account on the
  [safety site](https://platform.safetycli.com/). They have some limited free account
  but require a paid account to use seriously. If you already have a safety account
  though there is a [uv-audit](https://pypi.org/project/uv-audit/) package that wraps
  safety to support scanning uv.lock files.
- [Python Security PyCharm Plugin](https://plugins.jetbrains.com/plugin/13609-python-security)
  Lastly I was inspired by Anthony Shaw's Python Security plugin - which does CVE
  dependency scanning within PyCharm.

I build uv-secure because I wanted a CLI tool I could run with pre-commit. Statically
analyse the uv.lock file without needing to create a virtual environment, and finally
doesn't require you to create (and pay for) an account with any service.

## Contributing

Please raise issues for any bugs you discover with uv-secure. If practical and not too
sensitive sharing the problem uv.lock file would help me reproduce and fix these issues.
I welcome PRs for minor fixes and documentation tweaks. If you'd like to make more
substantial contributions please reach out by email / social media / or raise an
improvement issue to discuss first to make sure our plans are aligned before creating
any large / time-expensive PRs.

            

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "uv-secure",
    "maintainer": null,
    "docs_url": null,
    "requires_python": ">=3.9",
    "maintainer_email": null,
    "keywords": "uv, uv.lock, vulnerabilities",
    "author": null,
    "author_email": "Owen Lamont <owenrlamont@gmail.com>",
    "download_url": "https://files.pythonhosted.org/packages/03/b0/7a8b11a5c46432a3c8ddb365009142fc6a3921ba122dea07110809b3d6ef/uv_secure-0.1.2.tar.gz",
    "platform": null,
    "description": "# uv-secure\n\nScan your uv.lock file for dependencies with known vulnerabilities\n\n## Installation\n\nI recommend installing uv-secure as a uv tool or with pipx as it's intended to be used\nas a CLI tool and it probably only makes sense to have one version installed globally.\n\nInstalling with uv tool as follows:\n\n```shell\nuv tool install uv-secure\n```\n\nor with pipx:\n\n```shell\npipx install uv-secure\n```\n\nyou can optionally install uv-secure as a development dependency in a virtual\nenvironment.\n\n## Usage\n\nAfter installation you can run uv-secure --help to see the options.\n\n```text\n>> uv-secure --help\n\n Usage: uv-secure [OPTIONS]\n\n Parse a uv.lock file, check vulnerabilities, and display summary.\n\n\u256d\u2500 Options \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 --uv-lock-path        -p      PATH  Path to the uv.lock file [default: uv.lock]      \u2502\n\u2502 --ignore              -i      TEXT  Comma-separated list of vulnerability IDs to     \u2502\n\u2502                                     ignore, e.g. VULN-123,VULN-456                   \u2502\n\u2502 --version                           Show the application's version                   \u2502\n\u2502 --install-completion                Install completion for the current shell.        \u2502\n\u2502 --show-completion                   Show completion for the current shell, to copy   \u2502\n\u2502                                     it or customize the installation.                \u2502\n\u2502 --help                              Show this message and exit.                      \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\nBy default if run with no options uv-secure will look for a uv.lock file in the current\nworking directory and scan that for known vulnerabilities. E.g.\n\n```text\n>> uv-secure\nChecking dependencies for vulnerabilities...\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 No vulnerabilities detected!  \u2502\n\u2502 Checked: 160 dependencies     \u2502\n\u2502 All dependencies appear safe! \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\n## Pre-commit Usage\n\nuv-secure can be run as a pre-commit hook by adding this configuration to your\n.pre-commit-config.yaml file:\n\n```yaml\n  - repo: https://github.com/owenlamont/uv-secure\n    rev: 0.1.1\n    hooks:\n      - id: uv-secure\n```\n\nYou should run:\n\n```shell\npre-commit autoupdate\n```\n\nOr manually check the latest release and update the _rev_ value accordingly.\n\nThe uv-secure pre-commit at present assumes the uv.lock file is in the root directory\nfrom where pre-commit is run.\n\n## Roadmap\n\nBelow are some ideas (in no particular order) I have for improving uv-secure:\n\n- Update the command line arguments and pre-commit configuration to support finding and\n  testing all uv.lock files.\n- Add rate limiting on how hard the PyPi json API is hit to query package\n  vulnerabilities (this hasn't been a problem yet but I suspect may be for uv.lock files\n  with many dependencies).\n- Explore some local caching for recording known vulnerabilities for specific package\n  versions to speed up re-runs.\n- Add support for other lock file formats beyond uv.lock.\n- Add a severity threshold option for reporting vulnerabilities against.\n- Add an autofix option for updating package versions with known vulnerabilities if\n  is a more recent fixed version.\n- Add translations to support languages beyond English (not sure of the merits of this\n  given most vulnerability reports appear to be only in English but happy to take\n  feedback on this).\n\n## Related Work and Motivation\n\nI created this package as I wanted a dependency vulnerability scanner but I wasn't\ncompletely happy with the options that seemed available. I use\n[uv](https://docs.astral.sh/uv/) and wanted something that works with uv.lock files but\nneither of the main package options I found fitted my requirements:\n\n- [pip-audit](https://pypi.org/project/pip-audit/) only works with requirements.txt\n  files but even if you convert a uv.lock file to a requirements.txt file, pip-audit\n  wants to create a whole virtual environment to check all transitive dependencies (but\n  that should be completely unnecessary when the lock file already contains the full\n  dependencies).\n- [safety](https://pypi.org/project/safety/) also doesn't work with uv.lock file out of\n  the box, it does apparently work statically without needing to build a virtual\n  environment but it does require you to create an account on the\n  [safety site](https://platform.safetycli.com/). They have some limited free account\n  but require a paid account to use seriously. If you already have a safety account\n  though there is a [uv-audit](https://pypi.org/project/uv-audit/) package that wraps\n  safety to support scanning uv.lock files.\n- [Python Security PyCharm Plugin](https://plugins.jetbrains.com/plugin/13609-python-security)\n  Lastly I was inspired by Anthony Shaw's Python Security plugin - which does CVE\n  dependency scanning within PyCharm.\n\nI build uv-secure because I wanted a CLI tool I could run with pre-commit. Statically\nanalyse the uv.lock file without needing to create a virtual environment, and finally\ndoesn't require you to create (and pay for) an account with any service.\n\n## Contributing\n\nPlease raise issues for any bugs you discover with uv-secure. If practical and not too\nsensitive sharing the problem uv.lock file would help me reproduce and fix these issues.\nI welcome PRs for minor fixes and documentation tweaks. If you'd like to make more\nsubstantial contributions please reach out by email / social media / or raise an\nimprovement issue to discuss first to make sure our plans are aligned before creating\nany large / time-expensive PRs.\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "Scan your uv.lock file for dependencies with known vulnerabilities",
    "version": "0.1.2",
    "project_urls": {
        "Releases": "https://github.com/owenlamont/uv-secure/releases",
        "Repository": "https://github.com/owenlamont/uv-secure"
    },
    "split_keywords": [
        "uv",
        " uv.lock",
        " vulnerabilities"
    ],
    "urls": [
        {
            "comment_text": null,
            "digests": {
                "blake2b_256": "cc732dc2daa12629a8d11478b6c77f174981c254d58ca5d0eab1f2b5cddadadd",
                "md5": "d52256d82cb979522a6e8f275b423d7c",
                "sha256": "9d35eafacb6370ddca0127c3478a9002e2f7f61ef56b298f436908057ae15fe1"
            },
            "downloads": -1,
            "filename": "uv_secure-0.1.2-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "d52256d82cb979522a6e8f275b423d7c",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": ">=3.9",
            "size": 7625,
            "upload_time": "2024-12-21T13:06:02",
            "upload_time_iso_8601": "2024-12-21T13:06:02.524510Z",
            "url": "https://files.pythonhosted.org/packages/cc/73/2dc2daa12629a8d11478b6c77f174981c254d58ca5d0eab1f2b5cddadadd/uv_secure-0.1.2-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": null,
            "digests": {
                "blake2b_256": "03b07a8b11a5c46432a3c8ddb365009142fc6a3921ba122dea07110809b3d6ef",
                "md5": "03ac732847480c6eccc909c360040704",
                "sha256": "0d9af9228f4b5f4071f4e2c962ad2dd3b7117b38aa70252b2c318c10b47940c5"
            },
            "downloads": -1,
            "filename": "uv_secure-0.1.2.tar.gz",
            "has_sig": false,
            "md5_digest": "03ac732847480c6eccc909c360040704",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": ">=3.9",
            "size": 103526,
            "upload_time": "2024-12-21T13:06:04",
            "upload_time_iso_8601": "2024-12-21T13:06:04.821226Z",
            "url": "https://files.pythonhosted.org/packages/03/b0/7a8b11a5c46432a3c8ddb365009142fc6a3921ba122dea07110809b3d6ef/uv_secure-0.1.2.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-12-21 13:06:04",
    "github": true,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "github_user": "owenlamont",
    "github_project": "uv-secure",
    "travis_ci": false,
    "coveralls": false,
    "github_actions": true,
    "lcname": "uv-secure"
}