How to Scan Python Dependencies for Vulnerabilities

by Tim Hopper

Every dependency in a Python project is a potential source of known security vulnerabilities. Scanning those dependencies against a vulnerability database catches problems before they reach production.

Using uv audit

uv 0.10.12 and later includes the uv audit command, which checks project dependencies against the OSV (Open Source Vulnerabilities) database.

Run it from the root of a uv project:

$ uv audit

uv audit reads the project’s lockfile and queries OSV for known vulnerabilities in each dependency. When vulnerabilities are found, it prints details with links to the relevant advisories and exits with a non-zero status code. When no vulnerabilities are found, it exits with status 0.

To point uv audit at a custom vulnerability service instead of OSV, use the --service-url and --service-format flags:

$ uv audit --service-url https://vuln.example.com/api --service-format osv

Note

uv audit requires uv 0.10.12 or later. Run uv self version to check, and uv self update to upgrade.

Using pip-audit

pip-audit is an established alternative that also queries the OSV database. It works with any Python project, regardless of whether the project uses uv.

Run it as a one-off tool with uvx:

$ uvx pip-audit

This scans the packages installed in the current environment. To scan a requirements.txt file instead:

$ uvx pip-audit -r requirements.txt

Like uv audit, pip-audit exits with a non-zero status code when vulnerabilities are found.

Adding vulnerability scanning to CI

Both tools work well in GitHub Actions because they return non-zero exit codes on findings, which fails the CI step.

Here is a GitHub Actions workflow that runs uv audit on every push and pull request:

name: Vulnerability scan
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v7
      - run: uv audit

To use pip-audit instead (for example, if the project uses an older version of uv or does not use uv at all):

name: Vulnerability scan
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: astral-sh/setup-uv@v7
      - run: uvx pip-audit -r requirements.txt

Learn more

Was this helpful?

Get Python tooling updates

Subscribe to the newsletter

Last updated on March 28, 2026

How to run the IPython shell in your uv project How to set up a Python monorepo with uv workspaces

Please submit corrections and feedback...