DEV Community

Jake Espinosa
Jake Espinosa

Posted on

pip-audit: Managing pip Vulnerabilities

When the standard library doesn't cut it, developers turn to third-party packages to extend functionality. While the Python community uses fewer than the JavaScript community, most large Python projects use several third-party packages. Managing these packages can be a pain, and staying up to date with the latest security patches is even more challenging. Luckily, the open-source community has come to the rescue yet again with a tool to do this for us.

Supply Chain Security

Before I cover pip-audit, I need to discuss supply chain security. Typically, the phrase "supply chain" is associated with global manufacturing companies that use materials from all over the world. Due to this, it is all too easy for a malicious actor to compromise one of the many components in the supply chain. This concept can be applied to software development as we typically use several packages created by various different developers. The packages we rely on can be poorly written, vulnerable to an unknown zero-day, or intentionally compromised (not unheard of with npm packages). While we can't remediate all vulnerabilities, we can apply best practices to mitigate the risk of compromise.

Using pip-audit

Like all pip packages, you should install pip-audit into a virtual environment. In pipenv, you do this by running pipenv shell to activate the virtual environment and then pipenv install --dev pip-audit. We use the --dev flag to specify that pip-audit is a development dependency and not part of the application. A notable limitation as of the time of writing is that pip-audit cannot audit Pipfiles or Pipfile.lock files. However, it can audit installed packages, and pipenv supports converting Pipfiles and Pipfile.lock files into requirements.txt files.

Then, we develop as usual, installing all the packages. Ideally, you would know what packages you need, install them, and run pipenv run pip-audit to audit the packages before development begins. Auditing is a best practice because it reduces the chances of developing your application with a vulnerable package Before packaging up/deploying your app, you should audit the packages again to ensure they aren't vulnerable. Again, this does not guarantee that the packages are secure, but it does reduce the chances of one slipping through the cracks.

Takeaway

Security is everyone's job, and Python developers are no exception. pip-audit is a tool that all Python developers should use to audit installed packages and be aware of their application's security posture. Using this tool, we do our due diligence and make the world more secure, one application at a time.

Top comments (0)