Requires.io – Monitor Vulnerable Project Dependencies

Requires.io is a framework that allow user to monitor requirements of projects and notify whenever a dependency is outdated. This by tracking security updates for all the dependencies of a project and make the project marked in red as unsecure in case there are a known vulnerability.

Requires.io - Monitor Python Project Vulnerable Dependencies
Requires.io – Monitor Python Project Vulnerable Dependencies

Security advisories are tracked through several means: changelogs, cve database, and manual monitoring of packages that had vulnerabilities disclosed. Each advisory is manually verified, so it can take a handful of hours for notifications to be sent.

Requires.io looks for dependencies in the files matching:

  • setup.py,
  • req*.txt or req*.pip,
  • requirements/*.txt or requirements/*.pip,
  • buildout.cfg, versions.cfg,
  • tox.ini,
  • Pipfile, Pipfile.lock.

There are three types of notifications supported, all opt-in:

  • badges – provides badges to track projects status. These sleek looking badges were generated using the awesome shields.io. snippets of code (in Markdown, Textile, RDoc, Html and reStructuredText) ready to be copy-pasted in project’s README file.
  • Emails – Easily control the scope (outdated or insecure) and frequency (daily, weekly or monthly) to avoid getting too many emails.
  • pull-requests (GitHub only) – GitHub users can opt-in to receiving pull-requests: instead of manually bumping your requirements, just accept the pull-request.

You can read more and try it for free with GitHub or BitBucket repository over here: https://requires.io/

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments