Skip to main content
Redhat Developers  Logo
  • Products

    Platforms

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat AI
      Red Hat AI
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • View All Red Hat Products

    Featured

    • Red Hat build of OpenJDK
    • Red Hat Developer Hub
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenShift Dev Spaces
    • Red Hat OpenShift Local
    • Red Hat Developer Sandbox

      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Secure Development & Architectures

      • Security
      • Secure coding
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • Product Documentation
    • API Catalog
    • Legacy Documentation
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Secure your Python applications with Thoth recommendations

September 29, 2021
Fridolin Pokorny Kevin Postlethwait
Related topics:
Artificial intelligenceOpen sourcePythonSecuritySecure Coding
Related products:
Red Hat OpenShiftRed Hat Enterprise Linux

Share:

    This article introduces you to using Thoth's security recommender to scan for flaws in your Python applications. Security checks were recently added in Project Thoth, a cloud-based resolver for Python applications.

    Why we need security recommendations

    Software engineering history has proven countless times that shipping secure software is not easy, and that security problems often lie not in the application developer's code but in imported packages. Software commonly uses libraries written by other developers, and an application's security is dependent on those libraries. If a library has vulnerabilities, the dependent application will inherit them when the library code is executed. Given the complexity and variety of libraries available in the open source world, it is not possible to review all the source code publicly available with rigorous security expertise.

    Project Thoth is a native application on Red Hat OpenShift, hosted on the Operate First environment. Thoth can resolve software packages not to the “latest” but to the “greatest” library version. Thoth offers a variety of recommendation types to determine the "greatest" version based on different criteria, which guides the installation process. Security is now one of Thoth's recommendation types.

    How Thoth makes security recommendations

    Thoth uses three main sources for security-based advisories that affect Python packages:

    1. The Python Packaging Advisory Database
    2. Results computed in Thoth's "security indicators" workflow
    3. Security scorecards for open source projects by the Open Source Security Foundation (OpenSSF)

    Recently, the Python Packaging Authority (PyPA) announced a publicly available database of known vulnerabilities in open source Python libraries, mostly those hosted on the Python Package Index (PyPI). Thoth’s background data aggregation logic periodically fetches the database of known vulnerabilities and automatically blocks the resolution of software package versions that are prone to security vulnerabilities.

    Note: Watch this video for a demonstration of how the resolver flags security problems.

    Thoth engineers created the second source of data for security-based advisories. This source uses Thoth’s data aggregation architecture, in which each package imported by the application is statically scanned for possible issues using the open source Bandit tool. The information derived by Bandit is used to score packages during resolution. See Thoth’s security advisories documentation for more about how Thoth uses Bandit.

    Note: This video demonstrates how the Bandit-based recommendations are computed.

    The third source of security-related advisories consists of security scorecards that provide health metrics for open-source software. See the OpenSSF blog or the OpenSSF GitHub repository for more about security scorecards.

    Thoth’s resolution engine can easily be extended to include more sources of information. We are constantly looking for new sources and mechanisms for scoring packages. If you have domain knowledge in this area, the Thoth team welcomes your contributions and suggestions.

    Get a Thoth security recommendation

    To enable security-based recommendations that include the sources stated earlier, simply configure the recommendation type to be "security" in any of Thoth's three types of client tooling:

    • The Thamos command-line interface (CLI)
    • Thoth’s OpenShift Source-to-Image (S2I) container images
    • jupyterlab-requirements

    The easiest way to test security-based recommendations is to install the Thamos CLI, configure it, and ask Thoth for an advisory:

    $ pip install thamos
    $ thamos config
    $ thamos add flask
    $ thamos advise --recommendation-type security

    In this example, the cloud-based resolver evaluates versions of Flask as well as its dependencies. It will look for known security issues and suggest the most appropriate versions based on the most recent security knowledge for those dependencies. (See the end of this article for a video demonstration of the resolution process.)

    Using Thoth in the S2I build process

    The Thoth team provides container images that have Thoth tooling to consume recommendations during the OpenShift S2I build process. These container images are hosted on Quay.io in the thoth-station organization. For the documentation, see the GitHub repository hosting Thoth's S2I container images.

    To benefit from Thoth’s recommendations in an OpenShift S2I process, use Thoth’s S2I base images during the build process. Because these images are compatible with vanilla S2I container images (in fact, the Thoth images are based on the vanilla ones), all you need to do is change the builder container image used in the S2I build process. The thoth-s2i tool can facilitate an automated transition to a Thoth-guided S2I build process.

    Note: This video shows the adjusted OpenShift S2I build process with Thoth advisories.

    Watch a video demonstration

    The following video gives an in-depth demonstration of how to resolve Python software packages without security vulnerabilities.

    Helping the Python community create healthy applications

    As part of Project Thoth, we are accumulating knowledge about Python packages to help Python developers create healthy and secure applications. If you would like to follow updates in the project, please subscribe to the Thoth Station YouTube channel or follow us on the @ThothStation Twitter handle.

    Last updated: September 19, 2022

    Related Posts

    • Resolve Python dependencies with Thoth Dependency Monkey

    • Thoth prescriptions for resolving Python dependencies

    • Managing Python dependencies with the Thoth JupyterLab extension

    • Continuous learning in Project Thoth using Kafka and Argo

    Recent Posts

    • Migrating Ansible Automation Platform 2.4 to 2.5

    • Multicluster resiliency with global load balancing and mesh federation

    • Simplify local prototyping with Camel JBang infrastructure

    • Smart deployments at scale: Leveraging ApplicationSets and Helm with cluster labels in Red Hat Advanced Cluster Management for Kubernetes

    • How to verify container signatures in disconnected OpenShift

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit
    © 2025 Red Hat

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue