-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Add uv audit
Command for Security Vulnerability Scanning
#9189
Comments
For prior art: take a look at pip-audit, which currently interoperates with Based on our experience with that tool, some scattered thoughts:
|
In the meantime, this seems to work fairly well
|
I had some issues with pip-audit trying to install pip (
Seems to work very well too. |
Problem
Currently, there's no integrated way to audit dependencies defined in
pyproject.toml
anduv.lock
against known security vulnerabilities in the Python Packaging Advisory Database. This creates security risks and workflow inefficiencies:Proposed Solution
Implement a native
uv audit
command that would:pyproject.toml
anduv.lock
Example usage:
Benefits
Alternatives Considered
1. Using pip-audit
pyproject.toml
support (ref: Support for optional dependencies/extras when auditing from pyproject.toml pypa/pip-audit#766)uv.lock
support2. Extending pip-audit for
uv.lock
support3. Local environment scanning with pip-audit
pip-audit -l
against installed packages4. Requirements.txt generation and scanning with pip-audit
uv.lock
torequirements.txt
format for scanningAdditional Context
Next Steps
💡 Please share your thoughts on this proposal, particularly regarding:
The text was updated successfully, but these errors were encountered: