safety
Python dependency vulnerability scanner — checks installed packages against a database of known CVEs and security advisories. safety features: safety check for scanning requirements.txt or installed packages, safety scan for project-level scanning, JSON/text output formats, --continue-on-error for CI pipelines, --ignore for known safe CVEs, PyPI Safety DB (free) and Safety DB Pro (authenticated), integration with pip-audit and CI systems, CVSS scores, fix recommendations, and GitHub Actions support. Identifies packages with known security vulnerabilities before deployment.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security scanning tool itself — keep safety updated to get latest vulnerability database. Store SAFETY_API_KEY as CI secret not in code. The safety database is queried over HTTPS. Free tier data is publicly available — no sensitive data sent to safety servers beyond package names and versions.
⚡ Reliability
Best When
CI/CD pipeline dependency security checks — safety quickly identifies Python packages with known CVEs before deployment, with minimal setup.
Avoid When
Code security scanning (use bandit/semgrep), non-Python dependencies, or needing runtime protection.
Use Cases
- • Agent dependency audit — subprocess.run(['safety', 'check', '--output', 'json', '-r', 'requirements.txt'], capture_output=True, text=True); vulns = json.loads(result.stdout) — scan requirements file; agent CI pipeline identifies vulnerable dependencies; JSON output for programmatic processing and alerting
- • Agent installed packages scan — subprocess.run(['safety', 'check', '--json'], capture_output=True, text=True) — scan all installed packages in current environment; agent verifies deployment environment safety; identifies transitive dependencies with vulnerabilities not listed in requirements.txt
- • Agent CI quality gate — subprocess.run(['safety', 'check', '--continue-on-error'], check=False); if result.returncode != 0: alert_security_team() — non-blocking scan; agent CI reports vulnerabilities without failing build; --continue-on-error exits 0 even with vulnerabilities; parse JSON output for severity-based actions
- • Agent vulnerability report — result = subprocess.run(['safety', 'check', '--output', 'text', '--short-report'], text=True, capture_output=True); print(result.stdout) — human-readable short report; agent generates security summary for weekly review; shows package name, installed version, vulnerable versions, CVE IDs
- • Agent ignored CVEs — subprocess.run(['safety', 'check', '--ignore', '39462', '--ignore', '40291', '-r', 'requirements.txt']) — ignore specific CVE IDs; agent CI skips known false positives or accepted risks; document ignored CVEs with justification in comments
Not For
- • Code vulnerability scanning — safety only checks dependencies not Python code; for code SAST use bandit or semgrep
- • Non-Python dependencies — safety is Python-only; for JavaScript use npm audit, for container scanning use Trivy
- • Real-time runtime protection — safety is a scan-time tool; for runtime protection use WAF or application security monitoring
Interface
Authentication
Free tier uses PyPI Safety DB (limited). Authenticated tier via SAFETY_API_KEY environment variable for Safety DB Pro with more CVEs and faster updates. API key from safetycli.com account.
Pricing
safety CLI is open source (MIT). Safety DB Pro requires paid subscription. Free tier suitable for most open source projects.
Agent Metadata
Known Gotchas
- ⚠ safety 3.x changed CLI syntax significantly — safety 2.x: safety check; safety 3.x: safety scan; agent CI scripts written for safety 2.x break on safety 3.x; check version: safety --version; migration guide required when upgrading; pin version in CI to avoid surprise upgrades
- ⚠ Exit code non-zero on vulnerabilities found — safety check exits 1 when vulnerabilities found; subprocess.run(['safety', 'check'], check=True) raises CalledProcessError on any finding; agent CI must decide: check=False and inspect returncode, or use --continue-on-error; don't silently swallow the return code
- ⚠ Scans installed packages not just requirements.txt — safety check without -r flag scans ALL installed packages in current Python environment; agent running in dev environment with many extra packages gets false scope; always use: safety check -r requirements.txt for production dependency scanning
- ⚠ Free tier database may lag — Safety DB free tier has fewer CVEs and slower updates than Pro; agent relying on free tier may miss recent vulnerabilities; supplement with pip-audit which uses OSV database; consider both tools for comprehensive coverage
- ⚠ Ignored CVEs need documentation — safety check --ignore 12345 silently skips CVE-12345 forever; agent code should document ignored CVEs with justification in .safety-policy.yml or comments; periodically review ignored CVEs to check if patches are now available
- ⚠ Transitive dependencies not always scanned — safety check -r requirements.txt scans direct dependencies; if requirements.txt doesn't pin transitive deps, vulnerable transitive packages may not be caught; use pip freeze > requirements-frozen.txt for complete dependency tree scanning
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for safety.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-06.