pip-audit is the official Python Packaging Authority tool for scanning PyPI dependencies. It covers OSV/PyPI advisories well — but it only covers advisories. DepWarden extends the picture without replacing your workflow.
Typosquatting. pip install requets installs a malicious package, not the real requests. pip-audit has no advisory to match, so it reports zero findings. DepWarden runs name-similarity analysis on every package name in your requirements.txt or poetry.lock.
End-of-life Python and package releases. Python 3.8 reached EOL in October 2024. Django 2.2 went EOL in April 2022. Packages in EOL release lines receive no more security patches — pip-audit won't flag that. DepWarden checks EOL status for every major package and Python itself.
Exploitability prioritisation. pip-audit gives CVEs; DepWarden adds CISA KEV (confirmed active exploitation) and FIRST EPSS (exploit probability) so you see which of your 40 Python CVEs are being actively exploited right now and which can wait.
requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml (PEP 621 / Poetry), setup.cfg, environment.yml (conda).
Combined SCA + Python SAST in one GitHub Action step:
- uses: Rushabh5000/dep-warden/cli@main
with:
file: requirements.txt
fail-on: high
sast-dir: ./src
sast-fail-on: highSAST covers Django injection patterns, subprocess.run with user input, hardcoded credentials, DEBUG = True in production, and more. Related: software composition analysis, SAST scanner, detect typosquats in CI.