The latest articles on DEV Community by Aswin (@ohaswin). https://dev.to/ohaswin https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F920882%2Fe7c316d8-5d6f-4abc-b629-9584ae590664.jpg https://dev.to/ohaswin en Aswin Sat, 25 Apr 2026 15:11:26 +0000 https://dev.to/ohaswin/this-is-why-you-rewrite-python-security-tools-in-rust-53mb-vs-433mb-peak-memory-69s-vs-622s-4ea6 https://dev.to/ohaswin/this-is-why-you-rewrite-python-security-tools-in-rust-53mb-vs-433mb-peak-memory-69s-vs-622s-4ea6 <h2> Your Python security tool is slowing down your pipeline. Here's what I built instead. </h2> <p>I've been working on <a href="https://github.com/ohaswin/pyscan" rel="noopener noreferrer">Pyscan</a> on and off for 3 years now. The first version took 6 minutes to scan 200 dependencies. Today it scans 1000+ in less than 5 seconds.</p> <p>Here's what it looks like against the tools you're probably already using:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Execution Time</th> <th>Peak Memory</th> </tr> </thead> <tbody> <tr> <td>Pyscan</td> <td>6.9s</td> <td>53MB</td> </tr> <tr> <td>pip-audit</td> <td>62.2s</td> <td>433MB</td> </tr> <tr> <td>Safety</td> <td>10.4s</td> <td>320MB</td> </tr> </tbody> </table></div> <h2> The actual problem </h2> <p>Devs get rid of slower security tools to get CI/CD done faster. Which makes sense because nobody wants to babysit a 60 second scan on every push. But that's how vulnerable dependencies sit unpatched for months.</p> <p>Memory is very important in CI/CD servers and will significantly affect your budget. Pyscan stays flat at ~53MB whether you're scanning 15 deps or 700+.</p> <h2> What Pyscan does </h2> <p>Pyscan automatically traverses your Python project, extracts dependencies across whatever packaging format you use (uv, poetry, PDM, Flit, requirements.txt, CycloneDX and SPDX SBOMs, even raw source files) and cross-references them against the <a href="https://osv.dev/" rel="noopener noreferrer">Open Source Vulnerabilities (OSV) database</a> in a single async batch request.</p> <p>That last part is why it's fast. Traditional tools query OSV per dependency, serially. Pyscan sends one request for everything. <strong>Runtime scales with vulnerabilities found, not dependency count.</strong></p> <p>The latest release added:</p> <ul> <li> <strong>SBOM Native Support:</strong> Pyscan now natively parses CycloneDX (<code>bom.json</code>) and SPDX (<code>spdx.json</code>) files</li> <li> <strong>Reachability Heuristics:</strong> It scans your source to find where you're actually importing the vulnerable packages and highlights them in the output</li> </ul> <h2> One honest thing </h2> <p>Pyscan is on-par with <code>uv audit</code>, sometimes faster. If you already use <code>uv</code> you don't need Pyscan at all. Pretty cool since <code>uv</code> is Rust-based as well.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># via pipx (recommended)</span> pipx <span class="nb">install </span>pyscan-rs <span class="c"># via pip</span> pip <span class="nb">install </span>pyscan-rs <span class="c"># via cargo</span> cargo <span class="nb">install </span>pyscan </code></pre> </div> <p>It's been featured on the Real Python Podcast and has 60,000+ combined downloads across PyPI and crates.io. Still maintained by one broke college student between classes. Still free, still open source.</p> <p>In upcoming releases I'll be improving QoL for CI/CD users and trying to see if I can make it faster than <code>uv</code> while adding some interesting new features.</p> <p>Would love feedback and happy to answer questions about the internals! <a href="https://github.com/ohaswin/pyscan" rel="noopener noreferrer">GitHub repo here</a>.</p> python devops cybersecurity rust