Thoth Security Advises

Thoth allows users to request security advises. When a security based advise is requested the pipeline unit SecurityIndicatorsStep is included and changes the behaviour of the CvePenalizationStep. The SecurityIndicatorsStep aggregates information from si-cloc and si-bandit which wrap cloc and bandit to work on specific python package versions to be easily stored in our DB. The CVE penalization step, instead of penalizing a package version for having a known CVE it will completely remove it from resolution.

This is a living document and as other methods of judging a packages security are added to Thoth this document will be update to reflect these new ways of scoring.


Thoth uses vulnerability database published by the Python packaging association (PyPA) - see pypa/advisory-db 1. This database keeps track of known vulnerabilities in Python packages.


Bandit 2 is a project created by the PyCQA — Python Code Quality Authority — which transforms Python code into an abstract syntax tree (AST) and runs static code quality checks looking for common security issues in Python. Bandit classifies the issues by severity and confidence.


cloc 3 is a command line tool that counts lines of code. This is used as a normalizer for security score. Having a single high-severity, high-confidence issue in a small Python project is much more concerning than if a single high-severity, high-confidence issue is found in a large project.

Security Scorecards for Open Source Projects

Open Source Security Foundation provides Security Scorecards for open-source projects. Thoth uses scorecards in recommendations to provide additional knowledge about Python packages to users. If you are interested, follow scorecards checks available.

Security Scorecards used in Thoth are available in thoth-station/prescriptions repository.

Using security advises in OpenShift S2I

Thoth’s integration in OpenShift S2I can block building Python applications that are potentially vulnerable. By adjusting recommendation_type to security, the build process fails if any package is considered vulnerable.