Applying Fixes
Last updated
Last updated
When performing a safety scan, Safety provides a list of the vulnerabilities detected and, where available, recommended fixes for each.
Safety CLI can automatically update requirements files based on these recommendations by using the safety scan --apply-fixes command.
Summary
Where possible, updates to requirements files are applied automatically using the closest package version in which the detected vulnerability has been resolved.
Upgrades are performed in accordance with the Policy File, which limits automatic upgrades to patch, minor, or major updates. Any upgrades beyond the policy-defined threshold will result in a prompt (Y/N/Skip) that must be responded to by the user.
When no fixes are available, a message is displayed to that effect.
Safety CLI does not download or install packages. Instead, requirements files are updated.
Safety can apply recommended security updates by including the --apply-fixes command.
safety scan --apply-fixes
In this example, Safety has automatically updated the package versions in the requirements.txt file. Our policy file has a threshold limiting automatic upgrades to patches and minor upgrades only. As a result, the user is asked whether or not they wish to upgrade to the new version of the last package.
The Safety policy file referenced when performing the scan includes the automatic update threshold, beyond which the user will be prompted to confirm whether or not they wish to update packages with known vulnerabilities.
This threshold is necessary to prevent Safety from applying updates that could impact projects, e.g. by upgrading to a new major version with breaking changes.
To set the maximum version change that Safety will apply without user input, append that limit to the command, e.g. safety scan --apply-fixes requirements.txt minor. Possible values are: major, minor, patch. The default is value patch.
In both cases, the value used is an upper limit. Using major is equivalent to automatically applying all the fixes without user input.
Examples:
This will update the requirements.txt file (and any other requirements files it references) with all the security remediations that are minor or patch updates. If remediation requires a major version update, then Safety will ask for user input if they want to make this change.
safety scan --apply-fixes requirements.txt major
In this case, as major was used, all the remediations will be automatically applied in the file, and any of its recursive include files.
If you want to ensure that Safety will not wait for user input, the --no-prompt flag will apply all automatic fix updates that fall within the --auto-security-updates-limit limit, and ignore those that require user input.
safety scan -r requirements.txt --apply-fixes -afl minor --no-prompt
This will apply all patch and minor version security updates to requirements.txt and ignore any major version updates, with no user input prompt.
