Safety v3.5.1 is now available. Upgrade using "pip install -U safety"
Safety Firewall
LogoLogo
Safety PlatformResearchSign Up
  • Introduction to Safety
  • Safety Firewall
    • Introduction to Safety Firewall
    • Installation and Configuration
      • Uninstalling Firewall
    • Using Firewall
      • Working with Codebases
      • Firewall Monitoring and Management
      • Firewall Policy Management
      • Troubleshooting
  • SAFETY CLI
    • Introduction to Safety CLI Vulnerability Scanning
      • Quick Start Guide
      • Migrating from Safety CLI 2.x to Safety CLI 3.x
    • Installation and Authentication
    • Scanning for Vulnerable and Malicious Packages
      • Viewing Scan Results
      • Available Commands and Inputs
      • Scanning in CI/CD
      • Securing Development Environments
      • License Scanning
      • Exit Codes
      • Scanning in Production
    • Safety Telemetry
  • Vulnerability Remediation
    • Applying Fixes
  • Integration
    • Securing Git Repositories
      • GitHub
        • GitHub Actions
      • GitLab
      • BitBucket
      • Git Post-Commit Hooks
    • Pipenv
    • Docker Containers
  • Administration
    • Safety Policy Files
    • Project Policies
  • Output
    • Output Options and Recommendations
    • JSON Output
    • SBOM Output
    • HTML Output
    • Detecting Vulnerabilities and Sharing Results via Email
  • Support
    • Support
    • Invalid API Key Error
    • Headless Authentication
    • Implementation Support
    • Global proxy and identity configuration
    • Using Safety in Conda Environments
  • Miscellaneous
    • Understanding Vulnerability Scoring Systems: CVSS and EPSS
    • Release Notes
      • Breaking Changes in Safety 3
    • Research and Blog
    • Changelogs
    • Trust Center
    • Terms of Service
    • Safety 2.x Documentation
Powered by GitBook
LogoLogo

Safety Platform

  • Sign Up
  • Login

Research

  • Security Research & Blog

Resources

  • GitHub Action
  • GitHub

© Safety CLI Cybersecurity Inc.

On this page

Was this helpful?

  1. SAFETY CLI

Scanning for Vulnerable and Malicious Packages

Scan and secure projects against dependency vulnerabilities.

PreviousInstallation and AuthenticationNextViewing Scan Results

Last updated 5 months ago

Was this helpful?

Scanning a Python project

Once Safety CLI is installed and you have authenticated, let's scan a Python project.

In your terminal, navigate to the root folder of a Python project, e.g. cd /my/project/. (This root folder would normally contain files such as composer.lock, requirements.txt, READMEs, Pipfile.lock, pyproject.toml, .gitignores etc.)

Once you have navigated your terminal to your Python project's root directory, run:

safety scan

If this is the first time Safety has scanned this project, you may be prompted to set the project's name for tracking within Safety Platform.

Running safety scan will:

  • Scan your Python project's entire directory for Python package files and Python virtual environments, indexing all the packages found.

  • Conduct a security analysis of these packages against known security vulnerabilities and malicious package lists.

  • Identify known vulnerabilities in these packages, including their location and version

  • Provide fix recommendations.

Safety CLI is a powerful and flexible command-line tool. It can be used in a variety of use cases, environments and stages of the development lifecycle. It can output scan reports into different formats like JSON, and it can be integrated into any CI/CD pipeline or testing system. To learn more, refer to .

Once complete, your terminal will show a summary of the vulnerable packages that were found and recommended actions.

Targeting/Including Specific Requirements Files

In Safety CLI 2, it was possible to target specific requirements files. The new Safety Scan command is designed to allow you to scan all files in a project directory (or sub-directory) simultaneously rather than running separate scans targeted on each file.

If you wish to specify a target directory for the Safety Scan, you can do so using the --target option, e.g. safety scan --target /path/to/project. Safety Scan does not allow you to target single files, but the include-files section of the Policy File does allow you to include specific files in your scan if these are not detected in a normal scan.

Example:

include-files:

- path: inside_target_dir/requirements-docs.txt

file-type: requirements.txt

- path: inside_target_dir/requirements-dev.txt

file-type: requirements.txt

When running a new Safety Scan, the new CLI output will separate findings and recommendations by requirements file, e.g. requirements.txt will have its own set of recommendations, requirements-dev.txt will have its own, etc. This means that instead of running separate scans for each file, you can now run one simple scan and see all findings and recommendations in one output.

If the safety scan command is not found, or your safety version is less than 3.0, you need to before continuing below.

The enables you to control the depth of those scans to detect nested requirements files, e.g. six folders deep within the current directory.

install Safety version 3
Policy File
Safety CLI Documentation