Detector: Dep Audit

Detector: Dep Audit

Scans Python dependencies for known security vulnerabilities using pip-audit and the OSV database.

Property	Value
Name	dep-audit
Tier	DETERMINISTIC
Languages	Python
External tool	pip-audit
LLM required	No
Confidence	1.00

What it detects

Known CVEs (Common Vulnerabilities and Exposures) in declared Python dependencies, sourced from the OSV vulnerability database.

How it works

1. Checks for Python project markers (pyproject.toml, setup.py, requirements.txt, Pipfile, poetry.lock)
2. Finds or generates a requirements.txt from the project's dependency declarations
3. Runs pip-audit --format=json against the requirements
4. Parses structured vulnerability output with CVE IDs, descriptions, and fix versions

Severity

All vulnerabilities are reported as HIGH severity — known CVEs are always worth addressing.

Example finding

[DEP-AUDIT] idna 3.4 — CVE-2024-3651
  Vulnerability: GHSA-jjg7-2v4v-x38h
  Denial of service via resource consumption for internationalized domain names
  Fix available: upgrade to idna >= 3.7
  Severity: HIGH, Confidence: 1.00

Observed accuracy

Repo	Findings	TP Rate
httpx	3	100%
pip-tools	0	N/A

100% true positive rate — backed by a vulnerability database, zero judgment involved.

Prerequisites

pip install pip-audit
# Or install sentinel with the detectors extra:
pip install sentinel[detectors]

Known limitations

• Python-only (no npm audit, Go vulncheck, or cargo audit)
• Requires pip-audit to be installed and available in PATH
• Audits declared dependencies, not the running environment
• 120-second timeout per audit run