vscanner is a lightweight Python tool designed to scan Python packages (and their dependencies) for known vulnerabilities. By analyzing a requirements.txt-style input file, it cross-references each package against the OSV (Open Source Vulnerabilities) database and logs the results - including vulnerable packages, versions, and severity - to a structured CSV file. Ideal for developers and security teams, vscanner helps identify and mitigate risks in your project’s dependencies with minimal setup.
To install vscanner, first activate the target virtual environment, then use pip:
pip install vscannerFor older releases, visit PyPI or the GitHub Releases page.
Simply run vscan with the path to the input file containing the libraries to scan. Once the scan is complete, a log file (in CSV format) is written to your Desktop.
For example:
vscan /path/to/requirements.txtImportant: The input file is expected to be in
requirements.txt-style format.
The help menu can be accessed at any time using the following. This provides an overview of the tool's capabilities and available options.
vscan --helpTo perform a scan on the listed packages only, (i.e. disabling the dependency search and scan), pass the --no-deps argument as:
vscan /path/to/requirements.txt --no-depsNo troubleshooting guidance is available at this time.
For questions not covered here, or to report bugs, issues, or suggestions, please open an issue on GitHub.