{"id":13570488,"url":"https://github.com/twu/skjold","last_synced_at":"2026-01-14T10:19:36.743Z","repository":{"id":38209809,"uuid":"236341695","full_name":"twu/skjold","owner":"twu","description":"Security audit Python project dependencies against security advisory databases.","archived":false,"fork":false,"pushed_at":"2025-08-18T05:24:04.000Z","size":536,"stargazers_count":66,"open_issues_count":5,"forks_count":14,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-11-06T07:14:11.661Z","etag":null,"topics":["cvssv2","cvssv3","dependency-graph","gemnasium","github-security-advisories","pip","pipenv","poetry","pyup","safety","safety-db","security","security-tools","supply-chain","vulnerabilities","vulnerability-detection"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/skjold/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/twu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"twu"}},"created_at":"2020-01-26T16:40:51.000Z","updated_at":"2025-05-11T20:32:57.000Z","dependencies_parsed_at":"2023-02-18T02:46:08.381Z","dependency_job_id":"8029ccbc-2003-4b56-8be3-0af82aad1ea1","html_url":"https://github.com/twu/skjold","commit_stats":{"total_commits":213,"total_committers":10,"mean_commits":21.3,"dds":0.6056338028169015,"last_synced_commit":"182391c5306292b302e5a6ed4d0f25fd540e4779"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/twu/skjold","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twu%2Fskjold","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twu%2Fskjold/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twu%2Fskjold/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twu%2Fskjold/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/twu","download_url":"https://codeload.github.com/twu/skjold/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/twu%2Fskjold/sbom","scorecard":{"id":904478,"data":{"date":"2025-08-11","repo":{"name":"github.com/twu/skjold","commit":"37886b69f380a5cc24b490a879d033de08213750"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.9,"checks":[{"name":"Code-Review","score":1,"reason":"Found 1/7 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/publish.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/twu/skjold/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/twu/skjold/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/twu/skjold/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/twu/skjold/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/twu/skjold/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/twu/skjold/test.yml/master?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:19","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:20","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:38","Warn: pipCommand not pinned by hash: .github/workflows/publish.yml:39","Warn: pipCommand not pinned by hash: .github/workflows/test.yml:31","Warn: downloadThenRun not pinned by hash: .github/workflows/test.yml:51","Info:   0 out of   6 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 downloadThenRun dependencies pinned","Info:   0 out of   5 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 24 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"59 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: PYSEC-2024-48 / GHSA-fj7x-q9j7-g6q6","Warn: Project is vulnerable to: PYSEC-2025-49 / GHSA-5rjg-fvgr-3xxf","Warn: Project is vulnerable to: GHSA-cx63-2mw6-8hw5","Warn: Project is vulnerable to: PYSEC-2024-187 / GHSA-rqc4-2hc7-8c8v","Warn: Project is vulnerable to: GHSA-jfmj-5v4g-7637","Warn: Project is vulnerable to: GHSA-34jh-p97f-mpxf","Warn: Project is vulnerable to: PYSEC-2023-212 / GHSA-g4mx-q9vg-27p4","Warn: Project is vulnerable to: PYSEC-2023-207 / GHSA-gwvm-45gx-3cf8","Warn: Project is vulnerable to: PYSEC-2019-133 / GHSA-mh33-7rrq-662w","Warn: Project is vulnerable to: GHSA-pq67-6m6q-mj2v","Warn: Project is vulnerable to: PYSEC-2019-132 / GHSA-r64q-w8jr-g9qp","Warn: Project is vulnerable to: PYSEC-2023-192 / GHSA-v845-jxx5-vc9f","Warn: Project is vulnerable to: PYSEC-2020-148 / GHSA-wqvq-5m8c-6g24","Warn: Project is vulnerable to: PYSEC-2021-108 / GHSA-q2q7-5pp4-w6pg","Warn: Project is vulnerable to: PYSEC-2021-421 / GHSA-h4m5-qpfp-3mpv","Warn: Project is vulnerable to: PYSEC-2020-28 / GHSA-m6xf-fq7q-8743","Warn: Project is vulnerable to: PYSEC-2020-27 / GHSA-q65m-pv3f-wr5r","Warn: Project is vulnerable to: PYSEC-2020-340 / GHSA-vqhp-cxgc-6wmm","Warn: Project is vulnerable to: PYSEC-2021-865 / GHSA-vv2x-vrpj-qqpq","Warn: Project is vulnerable to: PYSEC-2022-42986 / GHSA-43fp-rhv2-5gv8","Warn: Project is vulnerable to: PYSEC-2023-135 / GHSA-xqr8-7jwr-rhp7","Warn: Project is vulnerable to: PYSEC-2023-62 / GHSA-m2qf-hxjv-5gpq","Warn: Project is vulnerable to: PYSEC-2022-42991 / GHSA-v3c5-jqr6-7qm8","Warn: Project is vulnerable to: PYSEC-2024-60 / GHSA-jjg7-2v4v-x38h","Warn: Project is vulnerable to: GHSA-cpwx-vrp4-4pq7","Warn: Project is vulnerable to: PYSEC-2021-66 / GHSA-g3rq-g295-4j3m","Warn: Project is vulnerable to: GHSA-h5c8-rqwp-cp95","Warn: Project is vulnerable to: GHSA-h75v-3vvj-5mfj","Warn: Project is vulnerable to: GHSA-q2x7-8rv6-6q7h","Warn: Project is vulnerable to: PYSEC-2020-92 / GHSA-hj5v-574p-mj7c","Warn: Project is vulnerable to: PYSEC-2022-42969","Warn: Project is vulnerable to: PYSEC-2021-140 / GHSA-9w8r-397f-prfh","Warn: Project is vulnerable to: PYSEC-2023-117 / GHSA-mrwq-x4v8-fh7p","Warn: Project is vulnerable to: PYSEC-2021-141 / GHSA-pq64-v7f5-gqh8","Warn: Project is vulnerable to: GHSA-9hjg-9r4m-mvj7","Warn: Project is vulnerable to: GHSA-9wx4-h78v-vm56","Warn: Project is vulnerable to: PYSEC-2023-74 / GHSA-j8r2-6x86-q33q","Warn: Project is vulnerable to: GHSA-g7vv-2v7x-gj9p","Warn: Project is vulnerable to: PYSEC-2020-149 / GHSA-hmv2-79q8-fv6g","Warn: Project is vulnerable to: GHSA-2g68-c3qc-8985","Warn: Project is vulnerable to: GHSA-f9vj-2wh5-fj8j","Warn: Project is vulnerable to: PYSEC-2023-221 / GHSA-hrfv-mqp8-q5rw","Warn: Project is vulnerable to: GHSA-j544-7q9p-6xp8","Warn: Project is vulnerable to: PYSEC-2023-57 / GHSA-px8h-6qxv-m22q","Warn: Project is vulnerable to: GHSA-q34m-jh98-gwm2","Warn: Project is vulnerable to: PYSEC-2023-58 / GHSA-xg9f-g7g7-2323","Warn: Project is vulnerable to: PYSEC-2022-203","Warn: Project is vulnerable to: PYSEC-2020-96 / GHSA-6757-jp84-gxfx","Warn: Project is vulnerable to: PYSEC-2021-142 / GHSA-8q59-q68h-6hv4","Warn: Project is vulnerable to: PYSEC-2014-14 / GHSA-652x-xj99-gmcc","Warn: Project is vulnerable to: PYSEC-2014-13 / GHSA-cfj3-7x9c-4p3h","Warn: Project is vulnerable to: PYSEC-2018-28 / GHSA-x84v-xcm2-53pg","Warn: Project is vulnerable to: PYSEC-2014-75 / GHSA-3qpr-7rmg-73v8","Warn: Project is vulnerable to: PYSEC-2014-76 / GHSA-48vv-2pmq-9fvv","Warn: Project is vulnerable to: PYSEC-2014-73 / GHSA-77hv-8796-8ccp","Warn: Project is vulnerable to: PYSEC-2014-74 / GHSA-879r-7f3w-8jj3","Warn: Project is vulnerable to: GHSA-8w48-m6hx-rjw2","Warn: Project is vulnerable to: GHSA-p6h9-hpcg-c6gm","Warn: Project is vulnerable to: GHSA-vh6g-786f-hxxp"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-24T16:50:40.201Z","repository_id":38209809,"created_at":"2025-08-24T16:50:40.201Z","updated_at":"2025-08-24T16:50:40.201Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28416908,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T10:18:03.274Z","status":"ssl_error","status_checked_at":"2026-01-14T10:16:11.865Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cvssv2","cvssv3","dependency-graph","gemnasium","github-security-advisories","pip","pipenv","poetry","pyup","safety","safety-db","security","security-tools","supply-chain","vulnerabilities","vulnerability-detection"],"created_at":"2024-08-01T14:00:52.778Z","updated_at":"2026-01-14T10:19:36.725Z","avatar_url":"https://github.com/twu.png","language":"Python","funding_links":["https://github.com/sponsors/twu"],"categories":["Python"],"sub_categories":[],"readme":"![](https://img.shields.io/pypi/v/skjold?color=black\u0026label=PyPI\u0026style=flat-square)\n![](https://img.shields.io/github/actions/workflow/status/twu/skjold/test.yml?branch=master\u0026color=black\u0026label=Tests\u0026style=flat-square)\n![](https://img.shields.io/pypi/status/skjold?color=black\u0026style=flat-square)\n![](https://img.shields.io/pypi/pyversions/skjold?color=black\u0026logo=python\u0026logoColor=white\u0026style=flat-square)\n![](https://img.shields.io/pypi/l/skjold?color=black\u0026label=License\u0026style=flat-square)\n![](https://img.shields.io/pypi/dm/skjold?color=black\u0026label=Downloads\u0026style=flat-square)\n[![](https://api.codeclimate.com/v1/badges/9f756df1ff145e6004a7/maintainability)](https://codeclimate.com/github/twu/skjold/maintainability)\n[![Test Coverage](https://api.codeclimate.com/v1/badges/9f756df1ff145e6004a7/test_coverage)](https://codeclimate.com/github/twu/skjold/test_coverage)\n\n```\n        .         .    .      Skjold /skjɔl/\n    ,-. | , . ,-. |  ,-|\n    `-. |\u003c  | | | |  | |      Security audit python project dependencies\n    `-' ' ` | `-' `' `-´      against several security advisory databases.\n           `'\n```\n\n## Introduction\nIt currently supports fetching advisories from the following sources:\n\n| Source | Name | Notes |\n| ------:|:----:|:------|\n| [GitHub Advisory Database](https://github.com/advisories) | `github` | Requires Access Token (See [Github](#github)). |\n| [PyUP.io safety-db](https://github.com/pyupio/safety-db) | `pyup` | |\n| [GitLab gemnasium-db](https://gitlab.com/gitlab-org/security-products/gemnasium-db) | `gemnasium` | |\n| [PYPA Advisory Database](https://github.com/pypa/advisory-db) | `pypa` | Only supports `ECOSYSTEM`! |\n| [OSV.dev Database](https://osv.dev) | `osv` | Only supports `ECOSYSTEM`!\u003cbr/\u003e Sends package information to [OSV.dev](https://osv.dev) API. |\n\nNo source is enabled by default! Sources can be enabled by setting `sources` list (see [Configuration](#configuration)). There is (currently) no de-duplication meaning that using too many sources at once will result in _a lot_ of duplicates. `skjold` also requires _all_ dependencies to be passed as it *will not* resolve any dependencies at runtime!\n\n## Motivation\nSkjold was initially created for myself to replace `safety`. ~Which appears to no longer receive monthly updates (see [pyupio/safety-db #2282](https://github.com/pyupio/safety-db/issues/2282))~. I wanted something I can run locally and use for my local or private projects/scripts.\n\nI currently also use it during CI builds and before deploying/publishing containers or packages.\n\n## Installation\n`skjold` can be installed from either [PyPI](https://pypi.org/project/skjold/) or directly from [Github](https://github.com/twu/skjold) using `pip`:\n\n```sh\npip install skjold                                        # Install from PyPI\npip install git+https://github.com/twu/skjold.git@vX.X.X  # Install from Github\n```\n\nThis should provide a script named `skjold` that can then be invoked. See [Usage](#usage).\n\n## Usage\n```sh\n$ pip list --format=freeze | skjold -v audit --sources gemnasium -\n```\n\nWhen running `audit` one can either provide a path to a _frozen_ `requirements.txt`, a `poetry.lock` or a `Pipfile.lock` file. Alternatively, dependencies can also be passed in via `stdin`  (formatted as `package==version`).\n\n`skjold` will maintain a local cache (under `cache_dir`) that will expire automatically after `cache_expires` has passed. The `cache_dir` and `cache_expires` can be adjusted by setting them in  `tools.skjold` section of the projects `pyproject.toml` (see [Configuration](#configuration) for more details). The `cache_dir`will be created automatically, and by default unless otherwise specified will be located under `$HOME/.skjold/cache`.\n\nFor further options please read `skjold --help` and/or `skjold audit --help`.\n\n### Examples\n\nAll examples involving `github` assume that `SKJOLD_GITHUB_API_TOKEN` is already set (see [Github](#github)).\n\n```sh\n# Using pip list. Checking against GitHub only.\n$ pip list --format=freeze | skjold audit -s github -\n\n# Be verbose. Read directly from supported formats.\n$ skjold -v audit requirements.txt\n$ skjold -v audit poetry.lock\n$ skjold -v audit Pipenv.lock\n\n# Specify specify multiple inputs at once.\n$ skjold -v audit Pipenv.lock poetry.lock requirements.txt\n\n# Using poetry.\n$ poetry export -f requirements.txt | skjold audit -s github -s gemnasium -s pyup -\n\n# Using poetry, format output as json and pass it on to jq for additional filtering.\n$ poetry export -f requirements.txt | skjold audit -o json -s github - | jq '.[0]'\n\n# Using Pipenv, checking against Github\n$ pipenv run pip list --format=freeze | skjold audit -s github -\n\n# Checking a single package via stdin against Github and format findings as json.\n$ echo \"urllib3==1.23\" | skjold audit -o json -r -s github -\n[\n  {\n    \"severity\": \"HIGH\",\n    \"name\": \"urllib3\",\n    \"version\": \"1.23\",\n    \"versions\": \"\u003c1.24.2\",\n    \"source\": \"github\",\n    \"summary\": \"High severity vulnerability that affects urllib3\",\n    \"references\": [\n      \"https://nvd.nist.gov/vuln/detail/CVE-2019-11324\"\n    ],\n    \"url\": \"https://github.com/advisories/GHSA-mh33-7rrq-662w\"\n  }\n]\n\n# Checking a single package via stdin against Gemnasium and report findings (`-o cli`).\n$ echo \"urllib3==1.23\" | skjold audit -o cli -r -s gemnasium -\n\nurllib3==1.23 (\u003c=1.24.2) via gemnasium\n\nCRLF injection. In the urllib3 library for Python, CRLF injection is possible\nif the attacker controls the request parameter.\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11236\n--\n\nurllib3==1.23 (\u003c1.24.2) via gemnasium\n\nWeak Authentication Caused By Improper Certificate Validation. The urllib3\nlibrary for Python mishandles certain cases where the desired set of CA\ncertificates is different from the OS store of CA certificates, which results\nin SSL connections succeeding in situations where a verification failure is the\ncorrect outcome. This is related to use of the `ssl_context`, `ca_certs`, or\n`ca_certs_dir` argument.\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11324\n--\n\nurllib3==1.23 (\u003c1.25.9) via gemnasium\n\nInjection Vulnerability. urllib3 allows CRLF injection if the attacker controls\nthe HTTP request method, as demonstrated by inserting `CR` and `LF` control\ncharacters in the first argument of `putrequest()`. NOTE: this is similar to\nCVE-2020-26116.\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-26137\n--\n```\n\n#### Ignore Findings\n\nFindings can be ignored either by manually adding an entry using the sources identifier to a file named `.skjoldignore` (See [Example](https://github.com/twu/skjold/blob/master/.skjoldignore)) or by using in the CLI. Below are a few possible usage examples.\n\n```\n# Ignore PYSEC-2020-148 finding from PyPA source until a certain date with a specific reason.\n$ skjold ignore urllib3 PYSEC-2020-148 --reason \"Very good reason.\" --expires \"2021-01-01T00:00:00+00:00\"\nIgnore urllib3 in PYSEC-2020-148 until 2021-01-01 00:00:00+00:00?\nVery good reason.\n--\nAdd to '.skjoldignore'? [y/N]: y\n\n# Ignore PYSEC-2020-148 finding from PyPA source for 7 days with \"No immediate remediation.\" reason.\n$ skjold ignore urllib3 PYSEC-2020-148\nIgnore urllib3 in PYSEC-2020-148 until ...?\nNo immediate remediation.\n--\nAdd to '.skjoldignore'? [y/N]: y\n\n# Audit `poetry.lock` using a custom `.skjoldignore` file location via `ENV`...\n$ SKJOLD_IGNORE_FILE=\u003cpath-to-file\u003e skjold audit -s pyup poetry.lock\n\n# ... or using -i/--ignore-file\n$ skjold audit -s pyup -i \u003cpath-to-file\u003e poetry.lock\n```\n\n### Configuration\n\n`skjold` can read its configuration from the `tools.skjold` section of a projects  `pyproject.toml`. Arguments specified via the command-line should take precedence over any configured or default value.\n\n```toml\n[tool.skjold]\nsources = [\"github\", \"pyup\", \"gemnasium\"]  # Sources to check against.\nreport_only = false                        # Exit with non-zero exit code on findings.\nreport_format = 'json'                     # Output findings as `json`. Default is 'cli'.\ncache_dir = '.skjold_cache'                # Cache location (default: `~/.skjold/cache`).\ncache_expires = 86400                      # Cache max. age.\nignore_file = '.skjoldignore'              # Ignorefile location (default `.skjoldignore`).\nverbose = true                             # Be verbose.\n```\n\nTo take a look at the current configuration / defaults run:\n```shell\n$ skjold config\nsources: ['pyup', 'github', 'gemnasium']\nreport_only: False\nreport_format: json\nverbose: False\ncache_dir: .skjold_cache\ncache_expires: 86400\nignore_file = '.skjoldignore'\n```\n\n#### Github\n\nFor the `github` source to work you'll need to provide a Github API Token via an `ENV` variable named `SKJOLD_GITHUB_API_TOKEN`. You can [create a new Github Access Token here](https://github.com/settings/tokens). You *do not* have to give it *any* permissions as it is only required to query the [GitHub GraphQL API v4](https://developer.github.com/v4/) API.\n\n### Version Control Integration\nTo use `skjold` with the excellent [pre-commit](https://pre-commit.com/) framework add the following to the projects `.pre-commit-config.yaml` after [installation](https://pre-commit.com/#install).\n\n```yaml\nrepos:\n  - repo: https://github.com/twu/skjold\n    rev: vX.X.X\n    hooks:\n    - id: skjold\n      verbose: true  # Important if used with `report_only`, see below.\n```\n\nAfter running `pre-commit install` the hook should be good to go. To configure `skjold` in this scenario I recommend adding the entire configuration to the projects `pyproject.toml` instead of manipulating the hook `args`. See this projects [pyproject.toml](./pyproject.toml) for an example.\n\n\u003e **Important!**: When using `skjold` as a `pre-commit`-hook it only gets triggered if you want to commit changed dependency files (e.g. `Pipenv.lock`, `poetry.lock`, `requirements.txt`,...).\n\u003e It will not continuously check your dependencies on _every_ commit!\n\nYou could run `pre-commit run skjold --all-files` manually in your workflow/scripts or run `skjold` manually.\nIf you have a better solution please let me know!\n\n\u003e **Important!**: If you use `report_only` in any way make sure that you add `verbose: true` to your hook configuration\notherwise `pre-commit` won't show you any output since the hook is always returning with a zero exit code due\nto `report_only` being set!\n\n## Contributing\nPull requests are welcome! For major changes, please open an issue first to discuss what you would like to change.\n\nPlease make sure to update tests as appropriate.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftwu%2Fskjold","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftwu%2Fskjold","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftwu%2Fskjold/lists"}