🐍 Pyscan

A dependency vulnerability scanner for your python projects, straight from the terminal.

• can be used within large projects. (see benchmarks)
• automatically finds dependencies either from configuration files or within source code.
• support for poetry,hatch,filt,pdm and can be integrated into existing build processes.
• hasn't been battle-hardened yet. PRs and issue makers welcome.

🕊️ Install

pip install pyscan-rs

look out for the "-rs" part or

cargo install pyscan

check out the releases.

🐇 Usage

Go to your python source directory (or wherever you keep your requirements.txt/pyproject.toml) and run:

> pyscan

or

> pyscan -d path/to/src

Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc. Here's the order of precedence for a source/config file:

• requirements.txt
• pyproject.toml
• your source code (.py)

Pyscan will use your pip to find unknown versions, otherwise pypi.org for the latest version. Still, Make sure you version-ize your requirements and use proper pep-508 syntax.

Building

pyscan requires a rust version of < v1.70, and might be unstable on previous releases. There's an overview of the codebase at architecture. Grateful for all the contributions so far.

🦀 Note

pyscan doesn't make sure your code is safe from everything. Use all resources available to you like safety Dependabot, pip-audit, trivy and the likes.

🐰 Todo

As of October 15, 2023:

• Gather time to work on it (incredible task as a high schooler)
• Persistent state representation of a project's security.
• Graphical analysis of dependencies and their dependencies, and so on.
• Better display, search, filter of vulns

🐹 Donate

While not coding, I am a broke high school student with nothing else to do. I appreciate all the help I can get.