{"id":1627,"library":"pip-audit","title":"pip-audit","description":"pip-audit is a command-line tool for scanning Python environments (installed packages, requirements files, or lockfiles) for known vulnerabilities. It leverages various vulnerability databases like OSV and Ecosyste.ms to provide comprehensive security checks. Currently at version 2.10.0, it maintains an active development pace with frequent minor releases to introduce new features, fix bugs, and update dependencies.","status":"active","version":"2.10.0","language":"en","source_language":"en","source_url":"https://github.com/pypa/pip-audit","tags":["security","vulnerability-scanning","cli","pypa","dependency-auditing"],"install":[{"cmd":"pip install pip-audit","lang":"bash","label":"Install pip-audit"}],"dependencies":[],"imports":[{"note":"Primarily a CLI tool, but offers programmatic API for auditing an installed environment.","symbol":"audit_environment","correct":"from pip_audit._api import audit_environment"},{"note":"Use this for auditing a list of Pip-style requirements.","symbol":"audit_requirements","correct":"from pip_audit._api import audit_requirements"},{"note":"The entry point for the command-line interface. Rarely called directly in user code.","symbol":"main","correct":"from pip_audit._cli import main"}],"quickstart":{"code":"import subprocess\n\n# Scan the current Python environment\nprint('Scanning current environment:')\nresult_env = subprocess.run(['pip-audit', '--output-format', 'json'], capture_output=True, text=True, check=False)\nprint(result_env.stdout)\n\n# Example: Scan a requirements file (create a dummy one)\nwith open('requirements.txt', 'w') as f:\n    f.write('requests==2.25.1\\n') # Known vulnerable version\n\nprint('\\nScanning requirements.txt:')\nresult_req = subprocess.run(['pip-audit', '-r', 'requirements.txt', '--output-format', 'json'], capture_output=True, text=True, check=False)\nprint(result_req.stdout)\n","lang":"python","description":"This quickstart demonstrates how to use `pip-audit` via its command-line interface, which is its primary mode of operation. It shows scanning the current Python environment and a requirements file, outputting results in JSON format for machine readability. The `subprocess` module is used to simulate a command-line invocation."},"warnings":[{"fix":"Ensure your environment uses Python 3.10 or newer for v2.10.0+. Consult `pip-audit`'s changelog for specific version requirements if using an older `pip-audit` release.","message":"The minimum required Python version has progressively increased. As of v2.10.0, Python >=3.10 is required. Earlier versions (v2.8.0 onwards required >=3.9, v2.6.2 onwards required >=3.8) supported older Python versions.","severity":"breaking","affected_versions":">=2.6.2"},{"fix":"Upgrade to `pip-audit` v2.7.2 or newer, which includes fixes for authentication-related hangs and improves `pip`'s keyring provider usage. Ensure `keyring` is properly configured if using authenticated indices.","message":"Users resolving packages against private package indexes that require authentication might experience hangs. This was a recurring issue with `pip` subprocess invocation.","severity":"gotcha","affected_versions":"<2.6.2, <2.7.2"},{"fix":"Be aware that cache files created by older `pip-audit` versions might not be recognized by newer versions in their new default locations. Manually clear or relocate old cache data if issues arise, or specify `--cache-dir` for explicit control.","message":"`pip-audit`'s default cache locations on macOS and Linux changed in v2.8.0 to align with platform-specific caching directory idioms (e.g., XDG).","severity":"gotcha","affected_versions":"<2.8.0"},{"fix":"Upgrade to `pip-audit` v2.7.3 or newer to benefit from improved handling of temporary files and subprocesses on Windows, addressing crashes and deadlocks.","message":"On Windows, some versions experienced crashes or issues related to temporary file handling and subprocess deadlocks.","severity":"gotcha","affected_versions":"<2.6.1, <2.7.3"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}