pip-audit vs Safety vs OSV-Scanner: Best Dependency Vulnerability Scanners 2026

Dependency vulnerabilities remain one of the most common attack vectors in modern software. A single outdated library with a known CVE can expose your entire application to exploitation. Self-hosted dependency vulnerability scanning lets you detect these risks early — before they reach production — without sending your dependency tree to third-party SaaS platforms.

In this guide, we compare three leading open-source dependency scanners: pip-audit (the official Python Packaging Authority tool), Safety (the most comprehensive Python-focused scanner), and OSV-Scanner (Google’s multi-language vulnerability scanner). Each tool takes a different approach to finding and reporting vulnerable packages, and understanding their strengths helps you build a robust software supply chain security pipeline.

For organizations already building a comprehensive security posture, dependency scanning complements container image scanning and license compliance checks as essential layers in your self-hosted security stack.

Why Self-Host Dependency Vulnerability Scanning

Running dependency scanning on your own infrastructure offers several advantages over cloud-based alternatives:

• Data privacy: Your dependency tree — which reveals your tech stack, versions, and architecture — never leaves your network. For regulated industries (healthcare, finance, government), this is often a compliance requirement.
• No rate limits or API quotas: Self-hosted scanners can run unlimited scans without hitting SaaS API restrictions, making them ideal for high-frequency CI/CD pipelines.
• Offline capability: Air-gapped environments with no internet access can still perform vulnerability checks using locally mirrored databases.
• Cost control: Open-source scanners eliminate per-scan or per-developer licensing fees, which can grow significantly for large teams.
• Customization: You control the vulnerability severity thresholds, ignore rules, and reporting formats to match your organization’s risk tolerance.

Tool Overview and Comparison

pip-audit

Maintained by: Python Packaging Authority (PyPA) / Trail of Bits
GitHub: pypa/pip-audit
Stars: 1,270 | Language: Python | Last updated: April 2026

pip-audit is the official Python dependency vulnerability scanner endorsed by the Python packaging community. It reads requirements.txt files and installed package environments, checking each dependency against the PyPI Advisory Database. It integrates natively with pip’s caching system and can emit CycloneDX SBOMs for downstream consumption.

Safety (Safety CLI)

Maintained by: SafetyCLI (formerly pyup.io)
GitHub: pyupio/safety
Stars: 1,976 | Language: Python | Last updated: March 2026

Safety is a Python dependency vulnerability scanner with access to one of the most comprehensive Python vulnerability databases available. It offers both a free tier with the open-source database and a paid tier with real-time updates, including malicious package detection. Safety supports system-wide scans, CI/CD integration via GitHub Actions, and automated fix suggestions.

OSV-Scanner

Maintained by: Google
GitHub: google/osv-scanner
Stars: 9,830 | Language: Go | Last updated: April 2026

OSV-Scanner is Google’s open-source vulnerability scanner built on top of the OSV.dev database. Unlike pip-audit and Safety, OSV-Scanner is multi-language — it supports Go, Java, JavaScript, Python, Ruby, Rust, PHP, Dart, and more. It can scan lockfiles, source directories, and even container images for vulnerabilities. Its call analysis feature determines whether a vulnerable function is actually being used in your code, reducing false positives significantly.

Feature Comparison Table

Installation Guide

Installing pip-audit

pip-audit requires Python 3.10 or newer. Install it via pip:

1

python3 -m pip install pip-audit

Alternatively, install via conda:

1

conda install -c conda-forge pip-audit

Verify the installation:

1

pip-audit --version

Installing Safety

Safety installs as a standard Python package:

1

python3 -m pip install safety

For the full commercial database, you’ll need to authenticate:

1

safety auth

This will prompt you to log in or create a SafetyCLI account. The free tier provides access to a subset of the vulnerability database.

Verify the installation:

1

safety --version

Installing OSV-Scanner

OSV-Scanner is distributed as a precompiled Go binary. Download the latest release:

1
2
3
4

# For Linux amd64
curl -sL https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -o osv-scanner
chmod +x osv-scanner
sudo mv osv-scanner /usr/local/bin/

Or install via Go:

1

go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest

For macOS:

1

brew install osv-scanner

Verify the installation:

1

osv-scanner --version

Usage Examples

Scanning a Python Project with pip-audit

Scan a requirements.txt file:

1

pip-audit -r requirements.txt

Scan the current installed environment:

1

pip-audit

Output results in JSON format for CI/CD parsing:

1

pip-audit -r requirements.txt --format json -o results.json

Generate a CycloneDX SBOM alongside the scan:

1

pip-audit -r requirements.txt --sbom cyclonedx-json -o sbom.json

Automatically fix vulnerable dependencies:

1

pip-audit -r requirements.txt --fix

This will upgrade packages to non-vulnerable versions where possible and update the requirements file accordingly.

Scanning with Safety

Run a basic scan in your project directory:

1

safety scan

Scan a specific requirements file:

1

safety scan -r requirements.txt

Output in JSON for automation:

1

safety scan -r requirements.txt --json > safety-results.json

Generate an HTML report for management review:

1

safety scan -r requirements.txt --html -o report.html

Apply automated fixes:

1

safety scan --apply-fixes

Run a system-wide scan to check all installed Python packages:

1

safety system-scan

Scanning with OSV-Scanner

Scan a source directory recursively:

1

osv-scanner scan source -r /path/to/project/

Scan a specific lockfile:

1

osv-scanner scan source --lockfile requirements.txt:/path/to/requirements.txt

Scan a Docker container image:

1

osv-scanner scan image my-app:latest

Output in CycloneDX format:

1

osv-scanner scan source -r /path/to/project/ --format cyclonedx-json -o sbom.json

Use call analysis to reduce false positives (Go projects):

1

osv-scanner scan source -r /path/to/go-project/ --call-analysis

CI/CD Pipeline Integration

GitHub Actions: pip-audit

Add this workflow to .github/workflows/dependency-audit.yml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

name: Dependency Audit
on:
  pull_request:
    paths:
      - 'requirements*.txt'
      - 'pyproject.toml'
  schedule:
    - cron: '0 6 * * 1'  # Weekly on Monday

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install pip-audit
        run: pip install pip-audit

      - name: Run vulnerability scan
        run: pip-audit -r requirements.txt --format json -o audit-results.json

      - name: Upload results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: audit-results
          path: audit-results.json

GitHub Actions: Safety

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

name: Safety Dependency Scan
on:
  pull_request:
    paths:
      - 'requirements*.txt'
  schedule:
    - cron: '0 6 * * 1'

jobs:
  safety:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install Safety
        run: pip install safety

      - name: Run Safety scan
        run: safety scan -r requirements.txt --json --output safety-report.json
        continue-on-error: true

      - name: Upload report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: safety-report
          path: safety-report.json

GitHub Actions: OSV-Scanner

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

name: OSV Vulnerability Scan
on:
  pull_request:
  schedule:
    - cron: '0 6 * * 1'

jobs:
  osv:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - name: Run OSV-Scanner
        uses: google/osv-scanner-action@v2
        with:
          scan-args: |-
            --recursive
            --format=sarif
            --output=results.sarif
            ./

      - name: Upload SARIF results
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

GitLab CI: OSV-Scanner

For teams using GitLab, OSV-Scanner integrates cleanly:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

dependency-scan:
  image: golang:1.23
  stage: test
  script:
    - go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
    - osv-scanner scan source -r --format=sarif --output=results.sarif ./
  artifacts:
    when: always
    reports:
      sast: results.sarif

Choosing the Right Tool

The decision between these three tools depends on your technology stack and security requirements:

Choose pip-audit if:

• You work exclusively with Python projects
• You want an officially endorsed PyPA tool with no commercial strings attached
• You need CycloneDX SBOM generation as part of your supply chain security
• You prefer a simple, zero-configuration scanner that works with standard requirements.txt files

Choose Safety if:

• You need the most comprehensive Python vulnerability database available
• Your team wants automated fix suggestions with policy-based version pinning
• You require HTML reports for non-technical stakeholders
• You’re willing to use a freemium model for access to the full vulnerability database

Choose OSV-Scanner if:

• Your organization uses multiple programming languages (polyglot stack)
• You need container image scanning alongside dependency scanning
• False positive reduction through call analysis is important for your workflow
• You want the most comprehensive vulnerability database (OSV aggregates from GitHub, RustSec, Ubuntu, Alpine, and more)
• You need C/C++ vendored code detection

For teams building a comprehensive self-hosted security pipeline, consider combining OSV-Scanner for multi-language coverage with a dedicated Python scanner for deeper Python-specific analysis. Pair your dependency scanning with SBOM tracking tools for end-to-end supply chain visibility.

FAQ

What is the difference between pip-audit and Safety?

pip-audit is the official PyPA tool that uses the open PyPI Advisory Database, while Safety uses SafetyCLI’s proprietary database which is more comprehensive but requires authentication for the full dataset. pip-audit is completely free with no account required, whereas Safety’s free tier is limited. Both support requirements.txt scanning and auto-fix capabilities, but Safety additionally supports system-wide scans and HTML report generation.

Can OSV-Scanner replace pip-audit for Python projects?

OSV-Scanner supports Python lockfiles (requirements.txt, Pipfile.lock, poetry.lock), so it can replace pip-audit for basic scanning. However, pip-audit has deeper Python-specific features like automatic environment scanning (pip-audit with no arguments scans installed packages) and the --fix flag for automatic remediation. For pure Python teams, pip-audit or Safety may be preferable. For polyglot teams, OSV-Scanner’s multi-language support makes it the better choice.

How often are vulnerability databases updated?

The PyPI Advisory Database (used by pip-audit) is updated continuously as new advisories are submitted. OSV.dev (used by OSV-Scanner) aggregates from multiple sources and updates in near real-time. Safety’s free database updates less frequently than its commercial tier, which provides real-time updates including malicious package detection. For production use, running scans on a weekly schedule (via cron or CI/CD) ensures timely detection of new vulnerabilities.

Do these tools work in air-gapped environments?

pip-audit can work offline if you have a local PyPI mirror (e.g., using devpi or bandersnatch). OSV-Scanner supports offline mode by downloading a local copy of the OSV database (osv-scanner download osv or using the --offline flag with a cached database). Safety requires network access for the commercial database, though the free tier has limited offline capability. For fully air-gapped environments, pip-audit and OSV-Scanner are the best options.

Can I integrate these tools with dependency update automation?

Yes. Tools like Renovate and Dependabot can automatically create pull requests for dependency updates. You can configure these tools to only open PRs for vulnerabilities flagged by your scanner, or use the scanner as a CI check to block PRs that introduce vulnerable dependencies. This creates a closed-loop system: the scanner detects vulnerabilities, and the automation tool fixes them.

Which tool has the lowest false positive rate?

OSV-Scanner generally has the lowest false positive rate, especially for Go projects where its call analysis feature determines whether vulnerable functions are actually invoked in your code. pip-audit and Safety report all known vulnerabilities for detected packages regardless of whether your code uses the affected functionality. For teams overwhelmed by false positives, OSV-Scanner’s call analysis can significantly reduce noise.