This article is part of a series on Effective Package Management in Python, also available as a chapter in our free, downloadable eBook

Did you know that 46% of Python libraries in PyPI have vulnerability security problems? Of those, 11% can pose high-severity risks.

Regularly scanning for vulnerabilities is the best way to protect against vulnerabilities that pop up and the risks that they bring.

I’m here to tell you:

• What vulnerable packages are and who finds them
• How to automatically scan for them;
• Why you need to get an automatic scanner

Vulnerabilities exposed

So, what makes a vulnerable package, well, vulnerable?

Vulnerable packages have exploitable weaknesses that are discovered sometimes years after the package has already been out. These vulnerabilities weren’t put there on purpose but rather discovered.

According to a 2021 Cornell University study, a study team found nearly 750,000 vulnerabilities after pushing nearly 200,000 Python packages through an analysis tool.

Let that sink in! Seven hundred and fifty thousand!

Even if only 11% of those were high-severity risks, that’s still 82,500 pre-existing vulnerabilities!

Remember, vulnerabilities occur naturally, so you will run into them. They’re found by researchers or NGOs who proactively search for them.

Once found, CVE (Common Vulnerabilities and Exposures) and GitHub advisories collect, evaluate, and categorize them based on the severity level.

The real danger of vulnerable packages is not knowing that you’re in danger at all! Not to mention, not being aware of the vulnerability’s effect or how to fix it.

Start scanning right now

ProGet’s Vulnerability Scanning feature scans and assesses all of your packages on a routine basis (daily at 2 am). It lets you set rules so that high-severity packages are blocked from even being downloaded. The vulnerability scanner also remembers your decisions from previous instances and applies them to newly scanned packages.

You’ll get to see all of the information you typically would from manually scanning packages, but you don’t need to remember to scan by yourself; ProGet remembers for you!

5 easy steps to scan automatically

ProGet also has a broader range of vulnerability references compared to alternative scanners because it uses CVE and NVD. When you’re ready to set up automated scanning, you just set it and forget it (until something pops up, of course):

1. Create or log into your OSS Index Account on Sonatype.
2. Locate your Sonatype API key.
3. Configure your ProGet feed’s vulnerability source with your API key.
   Tip: Here you can manually scan instead of waiting for the daily 2 am scan to take place.
4. Assess package vulnerabilities with options like Ignore, Caution, and Blocked.
   Tip: Assess them one by one or in bulk automatically.
5. Customize vulnerability assessment to get full control of your vulnerability scanning.
   Tip: Use customization in tandem with a package approval workflow.

Stay vigilant with regular scans

Scanning is a sure way to proactively protect your organization from any vulnerability risks—but it has to be done regularly! Remember, you don’t know and can’t predict when a vulnerability might be discovered.

Automated routine scanning helps you maintain secure libraries, and, when used alongside human intelligence to assess the results, you’ll be safe from any vulnerabilities.

This was a lot of information, and I recommend keeping this article on hand for when you need a refresher! Better yet, why not grab a copy of our guide Effective Package Management in Python? Beyond including everything in this article, it also covers dependency management, scripting best practices, CI/CD pipelines, and GUI generation with Python. To learn more about how you can implement Python in your organization sign up for your free copy today!