DEV Community

Cover image for This is why you rewrite Python security tools in Rust: 53MB vs 433MB peak memory, 6.9s vs 62.2s
Aswin
Aswin

Posted on

This is why you rewrite Python security tools in Rust: 53MB vs 433MB peak memory, 6.9s vs 62.2s

#python #devops #cybersecurity #rust

Your Python security tool is slowing down your pipeline. Here's what I built instead.

I've been working on Pyscan on and off for 3 years now. The first version took 6 minutes to scan 200 dependencies. Today it scans 1000+ in less than 5 seconds.

Here's what it looks like against the tools you're probably already using:

Tool Execution Time Peak Memory
Pyscan 6.9s 53MB
pip-audit 62.2s 433MB
Safety 10.4s 320MB

The actual problem

Devs get rid of slower security tools to get CI/CD done faster. Which makes sense because nobody wants to babysit a 60 second scan on every push. But that's how vulnerable dependencies sit unpatched for months.

Memory is very important in CI/CD servers and will significantly affect your budget. Pyscan stays flat at ~53MB whether you're scanning 15 deps or 700+.

What Pyscan does

Pyscan automatically traverses your Python project, extracts dependencies across whatever packaging format you use (uv, poetry, PDM, Flit, requirements.txt, CycloneDX and SPDX SBOMs, even raw source files) and cross-references them against the Open Source Vulnerabilities (OSV) database in a single async batch request.

That last part is why it's fast. Traditional tools query OSV per dependency, serially. Pyscan sends one request for everything. Runtime scales with vulnerabilities found, not dependency count.

The latest release added:

  • SBOM Native Support: Pyscan now natively parses CycloneDX (bom.json) and SPDX (spdx.json) files
  • Reachability Heuristics: It scans your source to find where you're actually importing the vulnerable packages and highlights them in the output

One honest thing

Pyscan is on-par with uv audit, sometimes faster. If you already use uv you don't need Pyscan at all. Pretty cool since uv is Rust-based as well.

Installation 

# via pipx (recommended)
pipx install pyscan-rs

# via pip
pip install pyscan-rs

# via cargo
cargo install pyscan
Enter fullscreen mode Exit fullscreen mode

It's been featured on the Real Python Podcast and has 60,000+ combined downloads across PyPI and crates.io. Still maintained by one broke college student between classes. Still free, still open source.

In upcoming releases I'll be improving QoL for CI/CD users and trying to see if I can make it faster than uv while adding some interesting new features.

Would love feedback and happy to answer questions about the internals! GitHub repo here.

Top comments (0)