Thoth Security Advises

Thoth allows users to request security advises. When a security based advise is requested the pipeline unit SecurityIndicatorsStep is included and changes the behaviour of the CvePenalizationStep. The SecurityIndicatorsStep aggregates information from si-cloc and si-bandit which wrap cloc and bandit to work on specific python package versions to be easily stored in our DB. The CVE penalization step, instead of penalizing a package version for having a known CVE it will completely remove it from resolution.

This is a living document and as other methods of judging a packages security are added to Thoth this document will be update to reflect these new ways of scoring.


Thoth uses vulnerability database published by the Python packaging association (PyPA) - see pypa/advisory-db 1. This database keeps track of known vulnerabilities in Python packages.

Vulnerability Static Analysis for Containers based on Quay Clair

When using container images provided by Thoth team, users get additional guidance on the container image level with respect to vulnerabilities. Quay Clair is used to obtain vulnerability related reports. These reports are automatically synced into Thoth’s knowledge base using prescriptions and are available to users who consume Thoth advisories.


Bandit 2 is a project created by the PyCQA — Python Code Quality Authority — which transforms Python code into an abstract syntax tree (AST) and runs static code quality checks looking for common security issues in Python. Bandit classifies the issues by severity and confidence.


cloc 3 is a command line tool that counts lines of code. This is used as a normalizer for security score. Having a single high-severity, high-confidence issue in a small Python project is much more concerning than if a single high-severity, high-confidence issue is found in a large project.

Security Scorecards for Open Source Projects

Open Source Security Foundation provides Security Scorecards for open-source projects. Thoth uses scorecards in recommendations to provide additional knowledge about Python packages to users. If you are interested, follow scorecards checks available.

Security Scorecards used in Thoth are available in thoth-station/prescriptions repository.

Quay security scans of container image

Another source of security information is security data from Quay 4 security scanners. Quay scans container images for security vulnerabilities. Information about vulnerabilities in container images is automatically aggregated by Thoth’s background data aggregation logic for container images provided by Thoth team. By using these container images, users get fine-grained control on vulnerabilities present on the container image level in addition to their software stacks.

Using security advises in OpenShift S2I

Thoth’s integration in OpenShift S2I can block building Python applications that are potentially vulnerable. By adjusting recommendation_type to security, the build process fails if any package is considered vulnerable.