How to Automate Vulnerability Scanning for PyPI Packages
by Crista Perlton, on Apr 13, 2022 3:21:00 AM
Did you know that 46% of Python libraries in PyPI have vulnerability security problems? Of those, 11% can pose high-severity risks.
Regularly scanning for vulnerabilities is the best way to protect against vulnerabilities that pop up and the risks that they bring.
I’m here to tell you:
- What vulnerable packages are and who finds them
- How to automatically scan for them
- Why you need to get an automatic scanner
So, what makes a vulnerable package, well, vulnerable?
Vulnerable packages have exploitable weaknesses that are discovered sometimes years after the package has already been out. These vulnerabilities weren’t put there on purpose but rather discovered.
According to a 2021 Cornell University study, a study team found nearly 750,000 vulnerabilities after pushing nearly 200,000 Python packages through an analysis tool.
Let that sink in: Seven hundred and fifty thousand!
Even if only 11% of those were high-severity risks, that’s still 82,500 pre-existing vulnerabilities!
Remember, vulnerabilities occur naturally—so you will run into them. They’re found by researchers or NGOs who proactively search for them.
Once found, CVE (Common Vulnerabilities and Exposures) and GitHub advisories collect, evaluate, and categorize them based on the severity level.
The real danger of vulnerable packages is not knowing that you’re in danger at all! Now to mention, not being aware of the vulnerability’s effect or how to fix it.
Start scanning right now
ProGet’s Vulnerability Scanning feature scans and assesses all of your packages on a routine basis (daily at 2 am). It lets you set rules so that high-severity packages are blocked from even being downloaded. The vulnerability scanner also remembers your decisions from previous instances and applies them to newly scanned packages.
You’ll get to see all of the information you typically would from manually scanning packages, but you don’t need to remember to scan by yourself; ProGet remembers for you!
5 easy steps to scan automatically
ProGet also has a broader range of vulnerability references compared to alternative scanners because it uses CVE and NVD. When you’re ready to set up automated scanning, you just set it and forget it (until something pops up, of course):
- Create or login into your OSS Index Account on Sonatype.
- Locate your Sonatype API key.
- Configure your ProGet feed’s vulnerability source with your API key.
Tip: Here you can manually scan instead of waiting for the daily 2 am scan to take place.
- Assess package vulnerabilities with options like Ignore, Caution, and Blocked.
Tip: Assess them one-by-one or in bulk automatically.
- Customize vulnerability assessment to get full control of your vulnerability scanning.
Tip: Use customization in tandem with a package approval workflow.
Stay vigilant with regular scans
Scanning is a sure way to proactively protect your organization from any vulnerability risks—but it has to be done regularly! Remember, you don’t know—and can’t predict—when a vulnerability might be discovered.
Automated routine scanning helps you maintain secure libraries—and used alongside human intelligence to assess the results, you’ll be safe from any vulnerabilities.