Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to install and use Safety. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Safety

Safety is a powerful vulnerability detection tool that can help researchers detect known security vulnerabilities in installed dependency components on devices. By default, Safety uses the open Python vulnerability database-Safety DB, but you can also use the-- key option to update the tool and use pyup.io 's Safety API.

Tool installation

We can use pip to install Safety, but keep in mind that the current version of Safety only supports Python 3.5 and later environments:

Use of pip install safety tool

Run the following command to determine the currently selected virtual environment with dependent components installed, and detect known security vulnerabilities:

Safety check

After running, we will see the report interface shown in the following figure:

Now, let's install some dependent components with security issues:

Pip install insecure-package

Next, run the vulnerability detection command again:

Safety check

The scan results this time are as follows:

The tool uses the sample to read the files required by the tool

Like pip, Safety can read local requirement files:

Safety check-r requirements.txt reads from Stdin

Safety can also use the-- stdin parameter to read input data from Stdin. To detect a local dependency file, run the following command:

Cat requirements.txt | safety check-- stdin

Alternatively, read the input from the output of pip freeze:

Pip freeze | safety check-- stdin

Alternatively, detect a single dependency package:

Echo "insecure-package==0.1" | safety check-- stdin uses Safety in Docker

Safety can also run as a Docker container:

Echo "insecure-package==0.1" | docker run-I-- rm pyupio/safety safety check-- stdincat requirements.txt | docker run-I-- rm pyupio/safety safety check-- stdin uses Safety source code

The Safety source code also provides some additional security features, and after the installation is complete, we will be able to use the regular command line version of Safety. Click [here] to get the Safety source code.

Using Safety through CI services

Safety can also be used with CI pipes, which returns a non-zero exit status if a vulnerability is scanned.

Travis:install:-pip install safety script:-safety checkGitlab CI:safety: script:-pip install safety- safety checkTox: [Tox] envlist = py37 [testenv] deps = safety pytestcommands = safety checkPytest Deep GitHub Integration

If you want to integrate Safety deeply with your own GitHub library, you can directly use the Safety service in pyup.io, namely Safety CI. Safety CI can detect the commit and pull request of dependent components in the GitHub library, look for known security vulnerabilities, and display the test results and status in GitHub.

Use Safety in the product

Safety is free and open source, and its underlying open database is updated once a month. To access all the newly added security vulnerabilities, we need to use a Safety API key and a paid pyup.io account (about $99).

Tool option-key

That is, the API key of the vulnerability database of pyup.io, which needs to be set in the SAFETY_API_KEY environment variable:

Safety check-key=12345-ABCDEFGH--db

The directory path to the local database, including insecure.json and insecure_full.json:

Safety check-db=/home/safety-db/data--proxy-host

IP or DNS of the proxy host

-- proxy-port

Proxy port number

-- proxy-protocol

Agent protocol (https or http)

-- json

Vulnerability report output in JSON format:

Safety check-json [["django", "

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.