Python Safety Package – A Quick Read

Python safety package
Try a faster and easier way to manage your Python dependencies. Use Python 3.9 by ActiveState and build your own runtime with the packages and dependencies you need. Get started for free by creating an account on the ActiveState Platform or logging in with your GitHub account.

Safety is an open source Python package and command line tool for checking Python code dependencies for known security vulnerabilities against its own “Safety-DB” Python vulnerability database.

Safety can be used to check for Python vulnerabilities in:

  • Virtual and nonvirtual environments
  • Packages contained in a requirements.txt file
  • Standard input from a specified resource using the –stdin flag
  • Python-based Docker images
  • GitHub repositories by integrating the Safety CI online tool with your Github account
  • Django applications using Safety Django 

Note that if you use pipenv check, it relies on Safety to check for known vulnerabilities in components locked by pipenv.

Safety Installation Prerequisites 

Safety is compatible with Python 3.5+ from python.org. Pip/pip3 is the official package manager for Python, and is the recommended tool for installing Python packages. 

To check if Safety is already installed and up-to-date, run the following command: 

python -m pip show safety 

Output should be similar to:

Name: safety
Version: 1.10.3
Summary: Checks installed dependencies for known vulnerabilities.
Home-page: https://github.com/pyupio/safety
Author: pyup.io

Safety Installation 

Safety can be installed on Linux, MacOS, and the Windows operating systems using pip by running the following command:

pip install safety

or 

python -m pip install safety

 

To upgrade Safety to the latest version, enter:

pip install --upgrade safety

 

To install a specific version of Safety, eg. version 1.10.2, enter:

pip install requests==1.10.2

 

Once Safety is installed, you can run the safety check command to check the current directory:

safety check

 

Output should be similar to:

safety report
checked 42 packages, using free DB (updated once a month)
---
-> pylint, installed 2.5.3, affected <2.7.0, id 39621
-> aiohttp, installed 3.6.2, affected <3.7.4, id 39659
-> urllib3, installed 1.25.8, affected <1.25.9, id 38834
...

Install Safety-DB 

Safety-DB is a Python package vulnerability database. Safety-DB is updated once a month by syncing with the Safety-db repository in Github. Most of the entries in the database are found by filtering Common Vulnerabilities and Exposures (CVEs) and changelogs for certain keywords. Safety-DB is available from PyPI.

The Safety-DB package requires a separate installation from Safety, and can be installed with the following command:

pip install safety-db

Use Safety to Check Stdin

Safety is able to read from sys.stdin input using the –stdin flag. For example, to check a local requirements.txt file using the –stdin flag, enter:

Linux:

cat requirements.txt | safety check --stdin

Windows: 

Echo requirements.txt | safety check --stdin

 

To safety check the output of pip freeze:

pip freeze | safety check --stdin

 

To safety check a particular package version, whether that package is installed in your system or not, enter:

echo "<package_name>==<version#>" | safety check --stdin 

Use Safety to Check Docker

To safety check a requirements.txt file, enter:

safety check -r requirements.txt

 

To safety check a requirements.txt file in a Docker image:

Linux:

cat requirements.txt | docker run -i --rm pyupio/safety safety check --stdin

 

To safety check a Python package in a Docker image:

Windows:

echo "<package_name>==<version#>" | docker run -i --rm pyupio/safety safety check --stdin

A modern solution to Python dependency management and vulnerability remediation – Try ActiveState’s Platform

Dependency resolution is at the core of the ActiveState Platform. When you create a project and start adding requirements, the Platforms tell you what dependencies those requirements have.

The ActiveState Platform is a cloud-based build tool for Python. It provides build automation and vulnerability remediation for:

  • Python language cores, including Python 2.7 and Python 3.5+
  • Python packages and their dependencies, including:
  • Transitive dependencies (ie., dependencies of dependencies)
  • Linked C and Fortran libraries, so you can build data science packages
  • Operating system-level dependencies for Windows, Linux, and macOS
  • Shared dependencies (ie., OpenSSL)
  • Find, fix and automatically rebuild a secure version of Python packages like Django and environments in minutes

Python 3.9 Web GUI ScreenshotThe ActiveState Platform aims to handle every dependency for every language. That means handling libraries down to the C/C++ level, external tools, and all the conditional dependencies that exist. To take things even further, our ultimate goal is to support multi-language projects. That means that you can create a project using both Python and Perl packages, and we’ll make sure that both languages are using the same (up to date) OpenSSL version.

Python Dependency Management In Action

Get a hands-on appreciation for how the ActiveState Platform can help you manage your dependencies for Python environments. Just run the following command to install Python 3.9 and our package manager, the State Tool:

Windows

powershell -Command "& $([scriptblock]::Create((New-Object Net.WebClient).DownloadString('https://platform.activestate.com/dl/cli/install.ps1'))) -activate-default ActiveState-Labs/Python-3.9Beta"

Linux

sh <(curl -q https://platform.activestate.com/dl/cli/install.sh) --activate-default ActiveState-Labs/Python-3.9Beta

Now you can run state install <packagename>. Learn more about how to use the State Tool to manage your Python environment.

Let us know your experience in the ActiveState Community forum.

Watch this video to learn how to use the ActiveState Platform to create a Python 3.9 environment, and then use the Platform’s CLI (State Tool) to install and manage it.

Watch this video to see how the Platform can be used to FIND and FIX vulnerabilities in your Python and Perl environments.

Related Links

Recent Posts

Tech Debt Best Practices: Minimizing Opportunity Cost & Security Risk

Tech debt is an unavoidable consequence of modern application development, leading to security and performance concerns as older open-source codebases become more vulnerable and outdated. Unfortunately, the opportunity cost of an upgrade often means organizations are left to manage growing risk the best they can. But it doesn’t have to be this way.

Read More
Scroll to Top