DEV Community

zerogru Art of Vector
zerogru Art of Vector

Posted on

Built a Python Dependency Audit Tool Because Vulnerability Lists Weren’t Enough

#python #security #opensource #devplusplus

Chifleton

Evidence-ready dependency audits for Python projects.

Chifleton is a CLI tool that produces structured, audit-friendly reports (JSON / HTML) for Python dependency security reviews.

It is not just about finding vulnerabilities.

It is about making results reviewable, repeatable, and explainable.

Why Chifleton?

Most tools stop at providing a simple list:

“Here is a list of CVEs.”

But real security reviews and compliance audits require more:

  • Scope: What exact dependencies were checked?
  • Provenance: Which data source was used? (e.g., https://osv.dev)
  • Context: When was the scan run?
  • Persistence: Can results be reviewed later without re-running the scan?

Chifleton focuses on what comes after detection — producing structured evidence suitable for documentation and audit trails.

Features

  • Scans Python dependency files:
    • requirements.txt
    • pyproject.toml
  • Queries public vulnerability data via OSV.dev
  • Generates:
    • JSON reports (machine-readable automation)
    • HTML reports (human-readable audit artifacts)
  • Designed as a reporting companion — not a replacement for existing scanners

Installation 

git clone https://github.com/0x5A65726F677275/chifleton
cd chifleton
pip install .
Enter fullscreen mode Exit fullscreen mode

Usage

Basic scan:

chifleton scan requirements.txt
Enter fullscreen mode Exit fullscreen mode

Generate an HTML report:

chifleton scan requirements.txt --report html
Enter fullscreen mode Exit fullscreen mode

Example output:

Scanning dependencies...
Resolving versions...
Querying vulnerability database...
Generating report...
Report saved to scan-report.html
Enter fullscreen mode Exit fullscreen mode

When Should You Use It?

Chifleton is ideal for:

  • Python projects undergoing formal security reviews
  • Maintainers who need archived audit artifacts
  • Teams that want structured, reproducible security evidence

If you only need quick vulnerability checks during development, tools like pip-audit may be sufficient.

Use Chifleton when you need documented, reviewable evidence.

Repository Structure 

chifleton/
├─ chifleton/       # Core CLI implementation
├─ ASSESSMENT.md    # Policy / audit alignment notes
├─ SECURITY.md      # Security reporting policy
└─ LICENSE          # MIT
Enter fullscreen mode Exit fullscreen mode

Author

Jaeha Yoo

License

MIT

Top comments (0)