{"id":21927960,"url":"https://github.com/mam-dev/security-constraints","last_synced_at":"2025-07-01T15:09:33.278Z","repository":{"id":144098530,"uuid":"561798884","full_name":"mam-dev/security-constraints","owner":"mam-dev","description":"Fetches security vulnerabilities and creates pip-constraints based on them.","archived":false,"fork":false,"pushed_at":"2025-01-27T21:37:09.000Z","size":132,"stargazers_count":12,"open_issues_count":4,"forks_count":1,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-06-21T06:46:07.087Z","etag":null,"topics":["dependencies","pip","python","security","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mam-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-11-04T14:14:45.000Z","updated_at":"2025-06-03T07:45:11.000Z","dependencies_parsed_at":"2023-10-15T03:16:42.086Z","dependency_job_id":"3f38f824-86ef-44e0-8aec-7ec6a7fa39a9","html_url":"https://github.com/mam-dev/security-constraints","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/mam-dev/security-constraints","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mam-dev%2Fsecurity-constraints","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mam-dev%2Fsecurity-constraints/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mam-dev%2Fsecurity-constraints/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mam-dev%2Fsecurity-constraints/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mam-dev","download_url":"https://codeload.github.com/mam-dev/security-constraints/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mam-dev%2Fsecurity-constraints/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262986751,"owners_count":23395390,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependencies","pip","python","security","supply-chain-security"],"created_at":"2024-11-28T22:19:31.956Z","updated_at":"2025-07-01T15:09:33.258Z","avatar_url":"https://github.com/mam-dev.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# security-constraints\n\nSecurity-constraints is a command-line application used\nto fetch security vulnerabilities in Python packages from\nexternal sources and from them generate version constraints\nfor the packages.\n\nThe constraints can then be given to `pip install` with the `-c` option,\neither on the command line or in a requirements file.\n\n## Installation\n\nJust install it with `pip`:\n```bash\npip install security-constraints\n```\n\n## Usage\n\nThe environment variable `SC_GITHUB_TOKEN` needs to be set\nto a valid GitHub token which provides read access to public\nrepositories. This is needed in order to access GitHub Security\nAdvisory. Once this is set, you can simply run the program to\noutput safe pip constraints to stdout.\n\n```bash\n\u003esecurity-constraints\n# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z\n# Data sources: Github Security Advisory\n# Configuration: {'ignore_ids': [], 'min_severity': 'CRITICAL'}\n...\nvncauthproxy\u003e=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)\nwaitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)\nwaitress\u003e=1.4.0  # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)\nymlref\u003e0.1.1  # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)\n\u003e\n```\n\nYou can use `--output` to instead output to a file.\n\n```bash\n\u003esecurity-constraints --output constraints.txt\n\u003ecat constraints.txt\n# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z\n# Data sources: Github Security Advisory\n# Configuration: {'ignore_ids': [], 'min_severity': 'CRITICAL'}\n...\nvncauthproxy\u003e=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)\nwaitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)\nwaitress\u003e=1.4.0  # GHSA-4ppp-gpcr-7qf6 (ID: GHSA-4ppp-gpcr-7qf6)\nymlref\u003e0.1.1  # CVE-2018-20133 (ID: GHSA-8r8j-xvfj-36f9)\n\u003e\n```\n\nYou can provide a space-separated list of IDs of vulnerabilities that\nshould be ignored. The IDs in question are those that appear in after\n`ID:` in the comments in the output.\n\n```bash\n\u003esecurity-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9\n# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z\n# Data sources: Github Security Advisory\n# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9'], 'min_severity': 'CRITICAL'}\n...\nvncauthproxy\u003e=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)\nwaitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)\n\u003e\n```\n\nThe IDs to ignore can also be given in a configuration file using `--config`.\nTo create an initial configuration file, you can use `--dump-config`. This\nwill dump the current configuration (including any `--ignore-ids` passed) to\nstdout and then exit. You can redirect this into a file to create an\ninitial configuration file. The configuration file is in yaml format.\n\n```bash\n\u003esecurity-constraints --ignore-ids GHSA-4ppp-gpcr-7qf6 GHSA-8r8j-xvfj-36f9 --dump-config \u003e sc_config.yaml\n\u003ecat sc_config.yaml\nignore_ids:\n- GHSA-4ppp-gpcr-7qf6\n- GHSA-8r8j-xvfj-36f9\nmin_severity: CRITICAL\n\u003esecurity-constraints --config sc_config.yaml\n# Generated by security-constraints 1.0.0 on 2022-11-04T08:33:54.523625Z\n# Data sources: Github Security Advisory\n# Configuration: {'ignore_ids': ['GHSA-4ppp-gpcr-7qf6', 'GHSA-8r8j-xvfj-36f9'], 'min_severity': 'CRITICAL'}\n...\nvncauthproxy\u003e=1.2.0  # CVE-2022-36436 (ID: GHSA-237r-mx84-7x8c)\nwaitress!=1.4.2  # CVE-2020-5236 (ID: GHSA-73m2-3pwg-5fgc)\n\u003e\n```\n\nBy default, security-constraints fetches all security vulnerabilities with\nseverity \"CRITICAL\" or higher (as understood by Github Security Advisory).\nThe minimum severity can be configured using the option `--min-severity` or\nby setting `min_severity` in the config file (if both are set, their common\nminimum will be used).\n\n```bash\n\u003esecurity-constraints --min-severity high\n```\n\n## Contributing\nPull requests as well as new issues are welcome.\n\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)\n[![CI](https://github.com/mam-dev/security-constraints/actions/workflows/ci.yaml/badge.svg?branch=main)](https://github.com/mam-dev/security-constraints/actions/workflows/ci.yaml)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmam-dev%2Fsecurity-constraints","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmam-dev%2Fsecurity-constraints","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmam-dev%2Fsecurity-constraints/lists"}