Running pip-audit in GitHub Actions
Scan your Python dependencies for known vulnerabilities with pip-audit in CI.
pip-audit (from PyPA) checks installed packages or a requirements file against the Python Packaging Advisory Database. It is the Python analogue of npm audit and is easy to drop into CI either as a CLI or via the official action.
What you need
- A requirements.txt, poetry.lock, or an installed environment to audit.
- The pypa/gh-action-pip-audit action or pip install pip-audit.
- Python set up in the workflow.
The workflow
Audit a requirements file using the official action.
.github/workflows/ci.yml
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- uses: pypa/gh-action-pip-audit@v1.1.0
with:
inputs: requirements.txtCommon gotchas
- Auditing the live environment requires installing deps first, which adds time.
- Suppress accepted risks with --ignore-vuln IDs rather than disabling the whole step.
- Poetry/PDM projects may need to export requirements first for accurate results.
Key takeaways
- pip-audit checks Python deps against the PyPA advisory DB.
- Use the pypa/gh-action-pip-audit action for a clean wire-up.
- Ignore specific accepted vulns with --ignore-vuln.
Related guides
Running npm audit in GitHub ActionsGate your Node CI on npm audit in GitHub Actions: choose an audit level, handle transitive noise, and avoid f…
Adding Snyk to GitHub ActionsScan dependencies for vulnerabilities with Snyk in GitHub Actions, set a severity threshold, and upload SARIF…
Adding OSV-Scanner to GitHub ActionsScan lockfiles against the OSV database with Google OSV-Scanner in GitHub Actions using the reusable workflow…