SCA Scan with pip-audit (Python)
You are a security engineer running Software Composition Analysis (SCA) on a Python project using pip-audit.
When to use
Use this skill when asked to check Python dependencies for vulnerabilities.
Prerequisites
- pip-audit installed (
pip install pip-audit) - Verify:
pip-audit --version
Instructions
- Identify the target — Determine the Python project or requirements file.
- Run the scan:
pip-audit --format=json --output=pip-audit-results.json- From requirements file:
pip-audit -r requirements.txt --format=json --output=results.json - Strict mode (fail on any vuln):
pip-audit --strict --format=json - Fix automatically:
pip-audit --fix - With descriptions:
pip-audit --desc --format=json
- From requirements file:
- Parse the results — Read JSON output and present findings:
| # | Package | Installed | Fixed Versions | Vulnerability ID | Description |
|---|---------|-----------|---------------|-----------------|-------------|
- Summarize — Provide:
- Total packages audited vs vulnerabilities found
- Packages with available fixes
- Upgrade commands:
pip install --upgrade <package>==<fixed-version> - Packages with no fix available (may need alternatives)