Auditing dependencies¶

audit runs uv audit --frozen against your locked dependencies and reports known vulnerabilities, for all uv.lock files found in the source tree, in parallel.

Auditing a whole source tree¶

The top-level audit is a check: it discovers every workspace in your source (one per uv.lock) and audits them all in parallel. It exits non-zero if any workspace has a finding, and each workspace's report shows up as its own node in the Dagger trace, so a failure points you straight at the offending lockfile.

CLIPython SDK

Installing the module as a toolchain surfaces the check as uv:audit, so you run it directly alongside your other Dagger checks:

$ dagger check uv:audit

await dag.uv(source=src).audit()

Skipping workspaces¶

Test fixtures and intentionally-vulnerable sample projects shouldn't fail your build. Pass glob patterns (matched against each workspace's source-relative path) to exclude them:

CLIPython SDK

$ dagger call audit --exclude '**/tests/_packages/**'

await dag.uv(source=src).audit(exclude=["**/tests/_packages/**"])

Auditing a single workspace¶

To audit a specific workspace, specify it by path:

CLIPython SDK

$ dagger call workspace --path services/api audit run

await dag.uv(source=src).workspace(path="services/api").audit().run()