https://blog.pypi.org/posts/2023-11-14-1-pypi-completes-first-security-audit/ [ ] [ ] Skip to content logo The Python Package Index PyPI has completed its first security audit ( ) ( ) GitHub logo GitHub * The PyPI Blog * Tags * [*] Posts Posts + Welcome to the PyPI Blog + Introducing 'Trusted Publishers' + Introducing PyPI Organizations + Announcing the PyPI Safety & Security Engineer role + Removing PGP from PyPI + PyPI was subpoenaed + Securing PyPI accounts via Two-Factor Authentication + Reducing Stored IP Data in PyPI + Enforcement of 2FA for upload.pypi.org begins today + Announcing the launch of PyPI Malware Reporting and Response project + Deprecation of bdist_egg uploads to PyPI + PyPI hires a Safety & Security Engineer + 2FA Enforcement for New User Registrations + GitHub now scans public issues for PyPI secrets + Inbound Malware Volume Report + [ ] PyPI has completed its first security audit PyPI has completed its first security audit Table of contents o Scope o Findings o Results & Impact o More details o Acknowledgements + Security Audit Remediation: Warehouse + Security Audit Remediation: cabotage Table of contents * Scope * Findings * Results & Impact * More details * Acknowledgements PyPI has completed its first security audit by: Dustin Ingram * 2023-11-14 #security #transparency This is part one in a three-part series. See part two here, and part three here We are proud to announce that PyPI has completed its first ever external security audit. This work was funded in partnership with the Open Technology Fund (OTF), a previous supporter of security-related improvements to PyPI. The Open Technology Fund selected Trail of Bits, an industry-leading cybersecurity firm with significant open-source and Python experience, to perform the audit. Trail of Bits spent a total of 10 engineer-weeks of effort identifying issues, presenting those findings to the PyPI team, and assisting us as we remediated the findings. Scope The audit was focused on "Warehouse", the open-source codebase that powers https://pypi.org, and on "cabotage", the custom open-source container orchestration framework we use to deploy Warehouse. It included code review of both codebases, prioritizing areas that accept user input, provide APIs and other public surfaces. The audit also covered the continuous integration / continuous deployment (CI/ CD) configurations for both codebases. Findings Overall, the auditors determined the Warehouse codebase "was adequately tested and conformed to widely accepted best practices for secure Python and web development," and that while the cabotage codebase lacks the same level of testing, they did not identify any high severity issues in either codebase. Results & Impact As a result of the audit, Trail of Bits detailed 29 different advisories discovered across both codebases. When evaluating severity level of each advisory, 14 were categorized as "informational", 6 as "low", 8 as "medium" and zero as "high". At the time of writing, the PyPI team has remediated all advisories that posed a significant risk in both codebases where possible, and has worked with third-party teams to unblock additional remediations where necessary. More details In the interest of transparency, today we are publishing the full results of the audit, as prepared by Trail of Bits. You can read more about the audit from their perspective in their accompanying blog post. Additionally, in two additional blog posts published today, Mike Fiedler (PyPI Security & Safety Engineer) goes into detail about how we remediated these findings in Warehouse and Ee Durbin (Python Software Foundation Director of Infrastructure) similarly details remediation's in cabotage. Acknowledgements We would like to thank the Open Technology Fund for their continued support of PyPI and specifically for this significant security milestone for the Python ecosystem. We would also like to thank Trail of Bits for being a dependable, thorough and thoughtful partner throughout the process. Made with Material for MkDocs