uv-secure

0.17.1 · active · verified Fri Apr 17

uv-secure is a command-line tool designed to scan your uv.lock file for dependencies with known vulnerabilities. It provides a quick way to ensure your project's Python dependencies, managed by `uv`, are secure. The library is actively maintained with frequent releases, often including dependency updates and minor feature enhancements.

Common errors

```
Error: No such file or directory: 'uv.lock'
```
cause `uv-secure` could not find the `uv.lock` file in the current directory or at the specified path.

fix Generate `uv.lock` using `uv`: `uv pip install -r requirements.txt && uv pip freeze > uv.lock`. Ensure you run `uv-secure scan` from the same directory where `uv.lock` resides or provide the path with `--lock-file PATH_TO_LOCK_FILE`.
```
uv-secure: command not found
```
cause `uv-secure` is either not installed or its installation directory is not included in your system's PATH environment variable.

fix Install `uv-secure` via pip: `pip install uv-secure`. If it's already installed, ensure your shell's PATH includes the directory where Python installs scripts (e.g., `~/.local/bin` or a virtual environment's `bin` directory).
```
Error: unrecognized arguments: --some-invalid-flag
```
cause You are using a command-line argument that is not recognized by the current version of `uv-secure`. This can happen if an option was removed, renamed, or you made a typo.

fix Consult `uv-secure --help` to see the list of valid options for your installed version. Check release notes if you recently updated the tool, as options might have changed.

Warnings

gotcha Since version 0.16.0, `uv-secure` will also report vulnerabilities found in its own dependencies. This is by design to ensure the scanning tool itself is secure, but might be unexpected if you only anticipate reports on your project's direct dependencies.
Fix: This is intended behavior. If you wish to ignore these, you can use the `.uv-secure-ignore` configuration file to explicitly silence reports for `uv-secure`'s internal dependencies if they are not relevant to your project's risk profile.
breaking `uv-secure` strictly requires a `uv.lock` file to be present in the directory where it's executed, or specified via the `--lock-file` option. If `uv` has not been used to generate this file, `uv-secure` will fail.
Fix: Ensure you have `uv` installed and have run `uv pip install -r requirements.txt` (or similar) followed by `uv pip freeze > uv.lock` to create the necessary lock file before running `uv-secure`.
gotcha New filtering and configuration options, such as `--ignore-unfixed`, `--min-severity`, and `--error-on-unused-ignores`, were introduced in version 0.16.0. Users upgrading from earlier versions might miss these powerful controls for customizing scan reports and stricter compliance.
Fix: Review `uv-secure --help` and the official documentation for version 0.16.0 and later to understand and leverage the new filtering and ignore capabilities effectively in your CI/CD pipelines or local development.

Install

pip install uv-secure Install uv-secure

Quickstart

To use `uv-secure`, you must first generate a `uv.lock` file for your project using `uv`. Once the lock file exists, simply run `uv-secure scan` in the same directory. Output will be printed to the console, detailing any found vulnerabilities. Additional flags allow filtering by severity or ignoring unfixed issues.

# First, ensure you have uv installed and a uv.lock file
# pip install uv
# cd your_project_directory
# uv pip install -r requirements.txt
# uv pip freeze > uv.lock

# Then, run uv-secure
uv-secure scan

# Example with additional options (introduced in 0.16.0)
uv-secure scan --min-severity critical --ignore-unfixed

view raw JSON →