pip-audit

pip-audit is an open-source Python dependency security scanner developed by Trail of Bits with Google support that audits Python environments, requirements files, and project dependencies for known security vulnerabilities by cross-referencing installed packages against the Python Packaging Advisory Database and Open Source Vulnerabilities (OSV) database via PyPI's JSON API. The tool integrates seamlessly into CI/CD pipelines with support for multiple output formats including JSON and SARIF, provides automated vulnerability remediation with the --fix flag to upgrade vulnerable packages to secure versions, and enables comprehensive dependency security management throughout the software development lifecycle without requiring paid subscriptions or licensing.