/pyscan

python dependency vulnerability scanner, written in Rust.

Primary LanguageRustMIT LicenseMIT

🐍 Pyscan

CI Liscense PyPI GitHub issues Top Language

A dependency vulnerability scanner for your python projects, straight from the terminal.
  • can be used within large projects. (see benchmarks)
  • automatically finds dependencies either from configuration files or within source code.
  • support for poetry,hatch,filt,pdm and can be integrated into existing build processes.
  • hasn't been battle-hardened yet. PRs and issue makers welcome.

🕊️ Install

pip install pyscan-rs

look out for the "-rs" part or

cargo install pyscan

🐇 Usage

Go to your python source directory (or wherever you keep your requirements.txt/pyproject.toml) and run:

> pyscan

or

> pyscan -d path/to/src

Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc. Here's the order of precedence for a source/config file:
  • requirements.txt
  • pyproject.toml
  • your source code (.py)

Pyscan will use your pip to find unknown versions, otherwise pypi.org for the latest version. Still, Make sure you version-ize your requirements and use proper pep-508 syntax.

Building

pyscan requires a rust version of < v1.70, and might be unstable on previous releases. There's an overview of the codebase at architecture. Grateful for all the contributions so far.

🦀 Note

pyscan doesn't make sure your code is safe from everything. Use all resources available to you like safety Dependabot, pip-audit, trivy and the likes.

🐰 Todo

As of October 15, 2023:

  • Gather time to work on it (incredible task as a high schooler)
  • Persistent state representation of a project's security.
  • Graphical analysis of dependencies and their dependencies, and so on.
  • Better display, search, filter of vulns

🐹 Donate

While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get.