user

How to Automate Vulnerability Scanning for PyPI Packages

Introduction

Crista Perlton

Crista Perlton

LATEST POSTS

How Licenses Work with Chocolately 22nd March, 2024

How to Handle npm Dependencies with Lock Files 16th January, 2024

Python

How to Automate Vulnerability Scanning for PyPI Packages

Posted by Crista Perlton on .

Did you know that 46% of Python libraries in PyPI have vulnerability security problems? Of those, 11% can pose high-severity risks.

Regularly scanning for vulnerabilities is the best way to protect against vulnerabilities that pop up and the risks that they bring.

I’m here to tell you:

  • What vulnerable packages are and who finds them
  • How to automatically scan for them;
  • Why you need to get an automatic scanner

Vulnerabilities exposed

So, what makes a vulnerable package, well, vulnerable?

Vulnerable packages have exploitable weaknesses that are discovered sometimes years after the package has already been out. These vulnerabilities weren’t put there on purpose but rather discovered.

According to a 2021 Cornell University study, a study team found nearly 750,000 vulnerabilities after pushing nearly 200,000 Python packages through an analysis tool.

Let that sink in! Seven hundred and fifty thousand!

Even if only 11% of those were high-severity risks, that’s still 82,500 pre-existing vulnerabilities!

Remember, vulnerabilities occur naturally, so you will run into them. They’re found by researchers or NGOs who proactively search for them.

Once found, CVE (Common Vulnerabilities and Exposures) and GitHub advisories collect, evaluate, and categorize them based on the severity level.

The real danger of vulnerable packages is not knowing that you’re in danger at all! Now to mention, not being aware of the vulnerability’s effect or how to fix it.

Start scanning right now

ProGet’s Vulnerability Scanning feature scans and assesses all of your packages on a routine basis (daily at 2 am). It lets you set rules so that high-severity packages are blocked from even being downloaded. The vulnerability scanner also remembers your decisions from previous instances and applies them to newly scanned packages.

You’ll get to see all of the information you typically would from manually scanning packages, but you don’t need to remember to scan by yourself; ProGet remembers for you!

5 easy steps to scan automatically

ProGet also has a broader range of vulnerability references compared to alternative scanners because it uses CVE and NVD. When you’re ready to set up automated scanning, you just set it and forget it (until something pops up, of course):

  1. Create or log into your OSS Index Account on Sonatype.
  2. Locate your Sonatype API key.
  3. Configure your ProGet feed’s vulnerability source with your API key.
    Tip: Here you can manually scan instead of waiting for the daily 2 am scan to take place.
  4. Assess package vulnerabilities with options like Ignore, Caution, and Blocked.
    Tip: Assess them one by one or in bulk automatically.
  5. Customize vulnerability assessment to get full control of your vulnerability scanning.
    Tip: Use customization in tandem with a package approval workflow.

Stay vigilant with regular scans

Scanning is a sure way to proactively protect your organization from any vulnerability risks—but it has to be done regularly! Remember, you don’t know and can’t predict when a vulnerability might be discovered.

Automated routine scanning helps you maintain secure libraries, and, when used alongside human intelligence to assess the results, you’ll be safe from any vulnerabilities.

Read: How to Scan & Block Vulnerabilities in ProGet
Crista Perlton

Crista Perlton

View Comments (0) ...
Navigation