Metadata-Version: 2.4
Name: lockfile-audit
Version: 0.1.0
Summary: Scan Python dependency files for known security vulnerabilities across OSV, NVD, and GitHub Advisory Database with EPSS exploit-probability scoring.
License: MIT
Keywords: security,vulnerabilities,dependencies,audit,CVE
Author: lockfile-audit contributors
Requires-Python: >=3.9,<4.0
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration
Classifier: Typing :: Typed
Requires-Dist: anyio (>=4.0.0)
Requires-Dist: httpx (>=0.25.0)
Requires-Dist: packaging (>=23.0)
Requires-Dist: pydantic (>=2.0.0)
Requires-Dist: pyyaml (>=6.0)
Requires-Dist: rich (>=13.0.0)
Requires-Dist: tomli (>=2.0.0) ; python_version < "3.11"
Requires-Dist: typer (>=0.9.0)
Project-URL: Documentation, https://lockfile-audit.readthedocs.io
Project-URL: Homepage, https://github.com/lockfile-audit/lockfile-audit
Project-URL: Repository, https://github.com/lockfile-audit/lockfile-audit
Description-Content-Type: text/markdown

# lockfile-audit

[![PyPI version](https://img.shields.io/pypi/v/lockfile-audit.svg)](https://pypi.org/project/lockfile-audit/)
[![Python versions](https://img.shields.io/pypi/pyversions/lockfile-audit.svg)](https://pypi.org/project/lockfile-audit/)
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
[![CI](https://github.com/lockfile-audit/lockfile-audit/actions/workflows/ci.yml/badge.svg)](https://github.com/lockfile-audit/lockfile-audit/actions)
[![Coverage](https://img.shields.io/codecov/c/github/lockfile-audit/lockfile-audit)](https://codecov.io/gh/lockfile-audit/lockfile-audit)
[![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/astral-sh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)

---

## Why lockfile-audit?

`pip-audit` is a solid tool, but it queries only the PyPA/OSV advisory database — leaving your project blind to CVEs that exist in NVD or the GitHub Advisory Database but haven't yet been cross-referenced in OSV. On top of that, every tool in this space gives you a flat list sorted by CVSS score, which doesn't tell you which vulnerabilities are *actually being exploited in the wild right now*.

`lockfile-audit` solves both problems:

1. **Broader coverage** — queries OSV, NVD, and GitHub Advisory Database in parallel and deduplicates the results into a single unified report.
2. **Exploit-probability prioritization** — enriches every finding with its [EPSS score](https://www.first.org/epss/) (probability of exploitation in the next 30 days), so your team can triage a CVSS 9.8 with a 0.1% exploit probability differently from a CVSS 7.5 that is actively being weaponized.

| Feature | pip-audit | lockfile-audit |
|---|---|---|
| OSV / PyPA database | ✅ | ✅ |
| NVD (NIST) database | ❌ | ✅ |
| GitHub Advisory Database | ❌ | ✅ |
| EPSS exploit-probability scores | ❌ | ✅ |
| SARIF output (GitHub Code Scanning) | ❌ | ✅ |
| Ignore file with expiry enforcement | ❌ | ✅ |
| Async parallel DB queries | ❌ | ✅ |
| `requirements.txt` parsing | ✅ | ✅ |
| `pyproject.toml` parsing | ✅ | ✅ |
| `poetry.lock` parsing | ✅ | ✅ |

---

## Installation

**pip:**

