check_python_venv_security_updates

                                

        
        

            
            

                

    

    
check_python_venv_security_updates - Icinga/Nagios Plugin for Python Virtualenv Security Audit


Overview


check_python_venv_security_updates is an Icinga/Nagios plugin designed to audit Python virtual environments (virtualenv) for security vulnerabilities and package updates. It leverages the official pip-audit tool to detect known security issues in installed Python packages, while also checking for general package updates.


This plugin is particularly useful for system administrators and DevOps teams who want to continuously monitor Python environments for security risks and outdated packages, integrating the checks directly into monitoring dashboards.




Features


    

  • Virtualenv-aware: Can target any Python virtual environment by specifying its path.
    • 

  • Automatic pip-audit management:

      

    • Installs pip-audit if not present in the virtualenv.
      • 

    • Updates pip-audit to the latest version if necessary.
      • 

    • Ensure the check is run as the owner of the virtualenv before doing anything on it.
      • 

    • 

  • Security auditing:

      

    • Detects packages with known vulnerabilities and available fixes.
      • 

    • Distinguishes vulnerabilities without fixes.
      • 

    • Possibility to restrict the audit to packages installed inside the virtualenv
      • 

    • 

  • General updates:

      

    • Detects packages with non-security updates available.
      • 

    • Differentiates between security and non-security updates in the output.
      • 

    • 

  • Icinga/Nagios compatible output:

      

    • Returns proper exit codes: OK, WARNING, CRITICAL, UNKNOWN.
      • 

    • Provides a first-line summary with perfdata (number of packages, vulnerabilities, updates).
      • 

    • Provides detailed multi-line information about each vulnerability or update.
      • 

    • 

  • Verbose and debug modes: Logs detailed information about executed commands and raw outputs.
    • 





Installation


git clone \
  https://gitlab.easter-eggs.com/brenard/check_python_venv_security_updates \
  /usr/local/src/check_python_venv_security_updates
ln -s /usr/local/src/check_python_venv_security_updates/check_python_venv_security_updates \
  /usr/local/lib/nagios/plugins/check_python_venv_security_updates




Usage


Basic usage:


/usr/local/lib/nagios/plugins/check_python_venv_security_updates /path/to/virtualenv


Options






Option
Description






venv-path
Required. Path to the Python virtual environment to audit.




n or --dont-warn-about-not-fixed-vuln
Treat known vulnerabilities without available fixes as OK instead of WARNING.




-I or --ignore-system-packages
Ignore packages installed outside the virtualenv (for virtualenv created with --system-site-packages parameter).




-w or --warn-on-nonsecurity-update
Treat non-security package updates as WARNING instead of OK.




-v or --verbose
Enable verbose logging.




-d or --debug
Enable debug logging, including raw command outputs.








Example Output


CRITICAL - 1 security updates available, 1 known vulnerabilities without fix, 8 non-security updates available | installed_packages=2 outdated_packages=8 pending_security_updates=1 not_fixed_vulnerabilities=1

[PENDING SECURITY UPDATES]
setuptools 66.1.1 -> 78.1.1 (PYSEC-2025-49/GHSA-5rjg-fvgr-3xxf/CVE-2025-47273)

[KNOWN VULNERABILITIES]
pip 25.2 (GHSA-4xh5-x5gv-qwph / CVE-2025-8869)

[AVAILABLE UPDATES]
charset-normalizer (3.4.3 -> 3.4.4)
cyclonedx-python-lib (9.1.0 -> 11.2.0)
idna (3.10 -> 3.11)
narwhals (2.7.0 -> 2.8.0)
numpy (2.3.3 -> 2.3.4)
pillow (11.3.0 -> 12.0.0)
setuptools (66.1.1 -> 80.9.0)
SQLAlchemy (2.0.43 -> 2.0.44)

[DETAILS]
pip-audit installed




Integration with Icinga/Nagios


    

  • Add a command definition in Icinga:
    • 



object CheckCommand "check_python_venv_security_updates" {
    command = ["/path/to/check_python_venv_security_updates"]
    arguments = {
        "venv-path" = {
            value = "$pyvenv_path$"
            description = "Python virtualenv path"
            skip_key = true
        }
        "--dont-warn-about-not-fixed-vuln" = {
            set_if = "$pyvenv_dont_warn_about_not_fixed_vuln$"
            description = "Don't warn about vulnerabilities without available fixes"
        }
        "--warn-on-nonsecurity-update" = {
            set_if = "$pyvenv_warn_on_nonsecurity_update$"
            description = "Trigger warning on non-security update available"
        }
    }
    vars.pyvenv_dont_warn_about_not_fixed_vuln = false
    vars.pyvenv_warn_on_nonsecurity_update = false
}


    

  • Then use it in a service definition for hosts with Python virtual environments.
    • 





Requirements


    

  • Python 3.6+
    • 

  • pip available inside the target virtualenv
    • 

  • pip-audit will be installed automatically if missing
    • 





Copyright


Copyright (c) 2025 Easter-eggs




License


This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License version 3
as published by the Free Software Foundation.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.


You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.