Question 1

Is pip-audit still worth using?

Accepted Answer

Yes. pip-audit is fast, maintained, and has no false positives from CPE matching (unlike OWASP Dependency-Check). It integrates cleanly into GitHub Actions with a single action. The limitation is prioritization, not detection.

Use pip-audit in CI for immediate merge-time feedback. Use EPSS-enriched scanning for triage decisions. They're complementary, not competing.

Question 2

Does pip-audit cover transitive dependencies?

Accepted Answer

pip-audit scans your full installed environment when invoked without a requirements file (pip-audit alone), which includes transitive packages. With -r requirements.txt, it resolves transitives using pip's resolver. The PyPA advisory database covers direct and indirect dependencies equally — if urllib3 is a transitive dependency of requests, pip-audit catches it.

The limitation isn't coverage; it's still prioritization. A transitive dependency with EPSS 0.15 gets the same Moderate label as a direct one with EPSS 0.01.

Question 3

What's the difference between pip-audit and safety?

Accepted Answer

Both scan Python dependencies for known CVEs. pip-audit uses OSV and PyPA advisory data — both open and free. safety (by PyUP) historically used a separate commercial database with earlier advisory publication; some advisories appeared in safety's database before OSV/PyPA. The gap has narrowed as PyPA advisory coverage improved. Neither tool provides EPSS or KEV enrichment.

Question 4

How often should I run pip-audit?

Accepted Answer

Run it on every CI build that installs dependencies (including PRs and scheduled builds against your main branch). Vulnerabilities are disclosed continuously — a package clean yesterday may have a new CVE today. The nightly or scheduled scan pattern — even just a cron job running pip-audit against your production lockfile — catches disclosures between deploys.

Question 5

Can pip-audit replace a dedicated SCA tool?

Accepted Answer

For small Python-only projects: pip-audit handles detection adequately. The gap is prioritization — you'll still need EPSS context for triage. For multi-ecosystem projects (Python + npm, Python + Go, etc.), a cross-ecosystem scanner with a unified dashboard becomes essential. Switching between pip-audit, npm audit, and go vulnerability checks on every triage session is operationally expensive.

---

See the EPSS signal pip-audit can't show you.

Scan your requirements.txt with EPSS + CISA KEV enrichment → — paste your requirements file or upload a poetry.lock or Pipfile.lock. Results in under 60 seconds, no account required.