Metadata-Version: 2.4
Name: pyvulscan
Version: 0.1.2
Summary: Vulnerability scanner for Python dependencies using the OSV API
Project-URL: Homepage, https://github.com/statspyml/pyau
Project-URL: Issues, https://github.com/statspyml/pyau/issues
Author-email: Rodrigo Polverari <rodrigo.pp.toledo@gmail.com>
License: MIT
License-File: LICENSE
Keywords: audit,dependencies,osv,security,vulnerabilities
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Requires-Python: >=3.11
Requires-Dist: cvss>=2.6
Requires-Dist: requests>=2.28.0
Provides-Extra: mcp
Requires-Dist: fastmcp>=0.1; extra == 'mcp'
Provides-Extra: service
Requires-Dist: alembic>=1.13; extra == 'service'
Requires-Dist: apscheduler>=3.10; extra == 'service'
Requires-Dist: fastapi>=0.110; extra == 'service'
Requires-Dist: psycopg2-binary>=2.9; extra == 'service'
Requires-Dist: sqlalchemy>=2.0; extra == 'service'
Requires-Dist: uvicorn[standard]>=0.29; extra == 'service'
Description-Content-Type: text/markdown

# pyvulscan

Vulnerability scanner for Python dependencies using the [OSV API](https://osv.dev/).

Supports `uv.lock`, `poetry.lock`, `pyproject.toml`, and `requirements.txt` — no environment activation needed.

## Install

```bash
pip install pyvulscan
```

## Usage

```bash
# Auto-detect lockfile in current project
pyvulscan pyproject.toml

# Scan only direct dependencies (not transitive)
pyvulscan pyproject.toml --direct-only

# Scan a specific lockfile
pyvulscan uv.lock
pyvulscan poetry.lock

# JSON output (for CI/CD integration)
pyvulscan pyproject.toml --json

# Exit with code 1 if vulnerabilities found (CI gate)
pyvulscan pyproject.toml --exit-code

# Include dev dependencies (Poetry only)
pyvulscan pyproject.toml --group main --group dev
```

## How it works

1. Parses your lockfile to get exact resolved versions
2. Sends a single batch request to the OSV API
3. Fetches full details (severity, fix version) for each vulnerability found
4. Reports findings with CVSS score, label, and recommended fix version

## Development

```bash
# Install with dev dependencies
pip install -e ".[dev]"

# Run tests
pytest tests/

# Lint
ruff check src/
```
