Would something like this require: - a pip extension/plugin/post-install hook API - a post-install hook that discloses all installed packages and versions (from pypi.org, mirrors, local directory) in exchange for checking and online security DB - a way to specify a key to e.g. pyup GItHub and GitLab offer similar functionality: https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/ https://help.github.com/articles/about-security-alerts-for-vulnerable-depend... https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.h... https://gitlab.com/gitlab-org/security-products/dependency-scanning#supporte... https://pyup.io https://github.com/pyupio/safety-db
pipenv check relies on safety and Safety-DB to check for known vulnerabilities in locked components
On Monday, February 11, 2019, Julian Berman <julian@grayvines.com> wrote:
Hi.
I recently found myself installing a node.js package, and in the process noticed that (sometime recently?) it started automatically warning about known vulnerabilities during installation of package.jsons (see https://docs.npmjs.com/cli/audit).
At work, we run safety (https://pypi.org/project/safety/) on all our projects (which has both free and paid versions). It's great.
I know there's a ton of wonderful work happening at the minute to improve underlying scaffolding + specification to enable tools other than setuptools + pip to thrive, so maybe this is the wrong moment, but I figured I'd ask anyways :) -- what are opinions on running a similar thing during pip install?
-J