Python Security Tools

Free, open-source security scripts for dependency auditing, vulnerability scanning, and supply chain protection. Zero dependencies — just Python standard library + requests.

Tools

1. Dependency Vulnerability Scanner

Checks your requirements.txt against NVD, OSV.dev, and GitHub Advisory databases.

import requests
import subprocess

def scan_dependencies():
    """Scan installed Python packages for known vulnerabilities."""
    result = subprocess.run(['pip', 'freeze'], capture_output=True, text=True)
    packages = {}
    for line in result.stdout.strip().split('\n'):
        if '==' in line:
            name, version = line.split('==')
            packages[name.lower()] = version

    print(f"Scanning {len(packages)} packages...\n")
    vulnerable = []

    for name, version in packages.items():
        # Check OSV.dev (covers PyPI-specific vulns)
        resp = requests.post('https://api.osv.dev/v1/query', json={
            'package': {'name': name, 'ecosystem': 'PyPI'},
            'version': version
        })
        vulns = resp.json().get('vulns', [])
        if vulns:
            for v in vulns:
                severity = v.get('database_specific', {}).get('severity', 'UNKNOWN')
                print(f"  VULN: {name}=={version} — {v['id']} ({severity})")
                vulnerable.append((name, version, v['id']))

    print(f"\nResult: {len(vulnerable)} vulnerabilities in {len(packages)} packages")
    return vulnerable

if __name__ == '__main__':
    scan_dependencies()

2. EPSS Risk Scorer

Adds exploit probability to CVE findings — prioritize what hackers actually exploit.

import requests

def get_epss_scores(cve_ids):
    """Get exploit probability for CVEs from FIRST.org EPSS."""
    results = []
    for cve_id in cve_ids:
        resp = requests.get(f'https://api.first.org/data/v1/epss?cve={cve_id}')
        data = resp.json()
        if data.get('data'):
            score = float(data['data'][0].get('epss', 0))
            percentile = float(data['data'][0].get('percentile', 0))
            results.append({
                'cve': cve_id,
                'probability': f"{score*100:.2f}%",
                'percentile': f"{percentile*100:.0f}th",
                'risk': 'HIGH' if score > 0.1 else 'MEDIUM' if score > 0.01 else 'LOW'
            })
    return results

3. Supply Chain Checker

Detects typosquatting and suspicious packages in your dependencies.

import requests
from difflib import SequenceMatcher

POPULAR_PACKAGES = [
    'requests', 'flask', 'django', 'numpy', 'pandas', 'boto3',
    'pyyaml', 'cryptography', 'pillow', 'sqlalchemy', 'celery',
    'fastapi', 'httpx', 'pydantic', 'pytest', 'black'
]

def check_typosquatting(package_name):
    """Check if a package name is suspiciously similar to popular packages."""
    for popular in POPULAR_PACKAGES:
        if package_name == popular:
            continue
        ratio = SequenceMatcher(None, package_name, popular).ratio()
        if ratio > 0.85:
            return {
                'package': package_name,
                'similar_to': popular,
                'similarity': f"{ratio*100:.0f}%",
                'warning': 'Possible typosquatting'
            }
    return None

def check_package_age(package_name):
    """Check when a package was first uploaded to PyPI."""
    resp = requests.get(f'https://pypi.org/pypi/{package_name}/json')
    if resp.status_code != 200:
        return None
    data = resp.json()
    releases = data.get('releases', {})
    if releases:
        first_version = min(releases.keys())
        first_upload = releases[first_version][0]['upload_time'] if releases[first_version] else None
        return {
            'package': package_name,
            'first_upload': first_upload,
            'total_versions': len(releases),
            'latest': data['info']['version']
        }

4. GitHub Advisory Scanner

import requests

def search_advisories(package_name, ecosystem='pip'):
    """Search GitHub Security Advisories for a package."""
    query = """
    query($package: String!) {
        securityAdvisories(first: 10, orderBy: {field: PUBLISHED_AT, direction: DESC}) {
            nodes {
                ghsaId
                summary
                severity
                publishedAt
                vulnerabilities(first: 5, package: $package) {
                    nodes {
                        package { name ecosystem }
                        vulnerableVersionRange
                    }
                }
            }
        }
    }
    """
    # Note: requires GitHub token for GraphQL API
    # Alternative: use the REST API
    resp = requests.get(
        f'https://api.github.com/advisories',
        params={'type': 'reviewed', 'ecosystem': ecosystem},
        headers={'Accept': 'application/vnd.github+json'}
    )
    return resp.json()

Quick Start

# Clone and run
git clone https://github.com/spinov001-art/python-security-tools
cd python-security-tools

# Install only requests (the only dependency)
pip install requests

# Scan your project
python scan.py

Free Security APIs Used

API	What It Checks	Auth
OSV.dev	Open source vulnerabilities	None
NVD	CVE database (200K+)	None
EPSS	Exploit probability	None
PyPI	Package metadata	None
GitHub Advisory	Security advisories	Optional

Related

• API Security Scanner — multi-API vulnerability scanner
• Awesome Security APIs — curated security APIs
• How I Audit 200+ Dependencies — tutorial
• Free API Directory — 100+ free APIs

Need Custom Security/Scraping Solutions?

$250 flat rate — custom security scanners, vulnerability assessors, and data extraction tools built in 48 hours. 78+ production scrapers on Apify Store.

📧 spinov001@gmail.com — describe your need, get a free quote within 2 hours.

---

License

MIT