Skip to content
Latchkey

Running pip-audit in GitHub Actions

Scan your Python dependencies for known vulnerabilities with pip-audit in CI.

pip-audit (from PyPA) checks installed packages or a requirements file against the Python Packaging Advisory Database. It is the Python analogue of npm audit and is easy to drop into CI either as a CLI or via the official action.

What you need

  • A requirements.txt, poetry.lock, or an installed environment to audit.
  • The pypa/gh-action-pip-audit action or pip install pip-audit.
  • Python set up in the workflow.

The workflow

Audit a requirements file using the official action.

.github/workflows/ci.yml
- uses: actions/setup-python@v5
  with:
    python-version: "3.12"

- uses: pypa/gh-action-pip-audit@v1.1.0
  with:
    inputs: requirements.txt

Common gotchas

  • Auditing the live environment requires installing deps first, which adds time.
  • Suppress accepted risks with --ignore-vuln IDs rather than disabling the whole step.
  • Poetry/PDM projects may need to export requirements first for accurate results.

Key takeaways

  • pip-audit checks Python deps against the PyPA advisory DB.
  • Use the pypa/gh-action-pip-audit action for a clean wire-up.
  • Ignore specific accepted vulns with --ignore-vuln.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →