DEV Community

Alex Spinov
Alex Spinov

Posted on

How to Check If Your Dependencies Are Vulnerable (30 Lines of Python)

#security #python #devops #tutorial

Last week a critical vulnerability was found in a popular npm package.

It had been there for 3 months. Nobody noticed.

Here's how to build a vulnerability scanner in 30 lines of Python — so you catch these before production.

The Scanner 

import requests
import sys

def scan_requirements(filepath):
    """Scan Python requirements.txt for known vulnerabilities"""
    vulns_found = 0

    with open(filepath) as f:
        for line in f:
            line = line.strip()
            if not line or line.startswith('#') or '==' not in line:
                continue

            package, version = line.split('==', 1)

            resp = requests.post('https://api.osv.dev/v1/query', json={
                'package': {
                    'name': package.strip(),
                    'ecosystem': 'PyPI'
                },
                'version': version.strip()
            })

            vulns = resp.json().get('vulns', [])

            if vulns:
                vulns_found += len(vulns)
                print(f"⚠️  {package}=={version}: {len(vulns)} vulnerabilities")
                for v in vulns[:3]:
                    severity = v.get('database_specific', {}).get('severity', '?')
                    print(f"    [{severity}] {v['id']}: {v.get('summary', '')[:70]}")
            else:
                print(f"{package}=={version}: clean")

    return vulns_found

# Run it
total = scan_requirements('requirements.txt')
print(f"\n{'🚨' if total else ''} Total: {total} vulnerabilities found")
sys.exit(1 if total > 0 else 0)
Enter fullscreen mode Exit fullscreen mode

How It Works

  1. Reads your requirements.txt
  2. For each package+version, queries OSV.dev (Google's vulnerability DB)
  3. Reports any known CVEs with severity
  4. Exits with code 1 if vulnerabilities found (CI-friendly)

Add It to CI/CD 

# .github/workflows/security.yml
name: Dependency Security Check
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.11'
      - run: pip install requests
      - run: python scan_deps.py requirements.txt
Enter fullscreen mode Exit fullscreen mode

Now every PR gets a vulnerability check. Free.

Also Works for npm 

def scan_npm(package_json_path):
    import json
    with open(package_json_path) as f:
        pkg = json.load(f)

    deps = {**pkg.get('dependencies', {}), **pkg.get('devDependencies', {})}

    for name, version in deps.items():
        # Strip version prefixes
        ver = version.lstrip('^~>=<')

        resp = requests.post('https://api.osv.dev/v1/query', json={
            'package': {'name': name, 'ecosystem': 'npm'},
            'version': ver
        })
        vulns = resp.json().get('vulns', [])
        status = f"⚠️ {len(vulns)} vulns" if vulns else ""
        print(f"{status} {name}@{ver}")
Enter fullscreen mode Exit fullscreen mode

Why Not pip-audit/npm audit?

They're great! But this approach:

  • Works across ecosystems (PyPI + npm + Go + Rust + 40 more)
  • No installation needed — just requests
  • Easy to customize (add Slack alerts, generate reports)
  • Returns structured JSON for programmatic use

Full Toolkit

👉 api-security-scanner — combines 5 security APIs

👉 awesome-security-apis — curated list of free security APIs

How do you scan your dependencies? Built-in tools, custom scripts, or commercial scanner?

Need custom security tooling? GitHub | Apify

Top comments (0)