{"id":2272,"library":"safety","title":"Safety CLI","description":"Safety CLI (safety) is a Python dependency vulnerability scanner that identifies known security vulnerabilities and malicious packages in your project's dependencies. It integrates into local development, CI/CD pipelines, and production systems, providing actionable remediation recommendations. The current version is 3.7.0, and it maintains an active release cadence with regular updates.","status":"active","version":"3.7.0","language":"en","source_language":"en","source_url":"https://github.com/pyupio/safety","tags":["security","vulnerability-scanner","dependency-management","supply-chain-security","cli","ci/cd"],"install":[{"cmd":"pip install safety","lang":"bash","label":"Install Safety CLI"}],"dependencies":[],"imports":[],"quickstart":{"code":"import subprocess\nimport os\n\n# Create a dummy requirements.txt for demonstration\nwith open('requirements.txt', 'w') as f:\n    f.write('requests==2.25.1 # known vulnerable version for demo (CVE-2023-32681, fixed in 2.31.0)\n')\n    f.write('Flask==2.3.2 # non-vulnerable example\n')\n\nprint('Scanning requirements.txt for vulnerabilities...')\n\n# Run safety scan command. Note: For full, commercial vulnerability database access,\n# an API key might be required. Basic scanning may work without explicit auth or prompt for it.\n# Use os.environ.get('SAFETY_API_KEY', '') if using a commercial key programmatically.\ntry:\n    # Using check=False to capture output even if safety exits with a non-zero code (vulnerabilities found)\n    result = subprocess.run(\n        ['safety', 'scan', '-r', 'requirements.txt', '--full-report'],\n        capture_output=True,\n        text=True,\n        check=False\n    )\n    print('--- Safety Scan Output ---')\n    print(result.stdout)\n    if result.stderr:\n        print('--- Safety Scan Errors ---')\n        print(result.stderr)\n    print(f'Safety exited with code: {result.returncode}')\n\nexcept FileNotFoundError:\n    print(\"Error: 'safety' command not found. Ensure Safety CLI is installed and in your PATH.\")\nexcept Exception as e:\n    print(f\"An unexpected error occurred: {e}\")\nfinally:\n    # Clean up the dummy file\n    if os.path.exists('requirements.txt'):\n        os.remove('requirements.txt')\n","lang":"python","description":"This quickstart demonstrates how to programmatically run `safety scan` using Python's `subprocess` module to check a `requirements.txt` file. It includes a dummy vulnerable dependency (requests==2.25.1) to show output with findings. For comprehensive vulnerability data, an API key might be required, which can be passed via `SAFETY_API_KEY` environment variable or configured using `safety auth`."},"warnings":[{"fix":"Migrate your `safety` policy files to the new schema introduced in Safety CLI 3. For details, refer to the official Safety documentation on migrating from Safety 2.x to Safety CLI 3.","message":"The policy file schema has changed significantly in Safety CLI 3.x compared to 2.x, particularly for the `scan` and `system-scan` commands. Older policy files will not work without migration.","severity":"breaking","affected_versions":"3.0.0 and later"},{"fix":"Update your scripts and CI/CD pipelines to use `safety scan` instead of `safety check`. The `scan` command offers improved functionality and native support for various project types.","message":"Safety CLI 3.x has deprecated the `check` command in favor of the more comprehensive `scan` command. While `check` received maintenance until June 2024, it is no longer the recommended approach.","severity":"breaking","affected_versions":"3.0.0 and later"},{"fix":"Review and update any custom parsers or scripts that consume Safety's JSON output to align with the new JSON structure. Refer to the official documentation for the updated schema.","message":"The JSON output format has been updated and improved in Safety CLI 3.x. If you have automated tools or integrations that parse Safety's JSON reports, they may break.","severity":"breaking","affected_versions":"3.0.0 and later"},{"fix":"If license scanning is critical, consider pinning to an older Safety 2.x version or exploring alternative tools until license support is fully integrated into the `safety scan` command.","message":"The `license` command has been dropped from Safety CLI 3.x. Users relying on this command should continue using Safety 2.3.5 or 2.4.0b2, or await future 3.x releases that might reintroduce license scanning capabilities via the `scan` command.","severity":"deprecated","affected_versions":"3.0.0 and later"},{"fix":"Register for a Safety account and obtain an API key. Use `safety auth` to log in, or pass the API key via the `--key` option or `SAFETY_API_KEY` environment variable for automated environments.","message":"While `pip install safety` provides the CLI, comprehensive vulnerability scanning often requires authentication and an API key to access the full, up-to-date commercial vulnerability database (Safety DB).","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure your Python environment is version 3.9 or higher before installing or upgrading Safety CLI to the latest version.","message":"The current PyPI `safety` package (3.7.0) explicitly requires Python >=3.9. Although Safety CLI 3.0.0 changelog mentions supporting Python >=3.7, attempting to install or run the latest `safety` on Python 3.7 or 3.8 will fail due to environment requirements.","severity":"gotcha","affected_versions":"3.7.0 and later (as per PyPI)"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}