Would something like this require:<div><br></div><div>- a pip extension/plugin/post-install hook API</div><div>- a post-install hook that discloses all installed packages and versions (from <a href="http://pypi.org">pypi.org</a>, mirrors, local directory) in exchange for checking and online security DB</div><div>- a way to specify a key to e.g. pyup</div><div><br></div><div>GItHub and GitLab offer similar functionality:</div><div><br></div><div><a href="https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/">https://github.blog/2018-07-12-security-vulnerability-alerts-for-python/</a></div><div>  <a href="https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/">https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/</a></div><div><br></div><div><a href="https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html">https://docs.gitlab.com/ee/user/project/merge_requests/dependency_scanning.html</a></div><div>  <a href="https://gitlab.com/gitlab-org/security-products/dependency-scanning#supported-languages-and-package-managers">https://gitlab.com/gitlab-org/security-products/dependency-scanning#supported-languages-and-package-managers</a><br><br><a href="https://pyup.io">https://pyup.io</a></div><div><br></div><div><a href="https://github.com/pyupio/safety-db">https://github.com/pyupio/safety-db</a><br></div><div><br></div><div>&gt; pipenv check relies on safety and Safety-DB to check for known vulnerabilities in locked components</div><div><br><br>On Monday, February 11, 2019, Julian Berman &lt;<a href="mailto:julian@grayvines.com">julian@grayvines.com</a>&gt; wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi.<div><br></div><div>I recently found myself installing a node.js package, and in the process noticed that (sometime recently?) it started automatically warning about known vulnerabilities during installation of package.jsons (see <a href="https://docs.npmjs.com/cli/audit" target="_blank">https://docs.npmjs.com/<wbr>cli/audit</a>).</div><div><br></div><div>At work, we run safety (<a href="https://pypi.org/project/safety/" target="_blank">https://pypi.org/project/<wbr>safety/</a>) on all our projects (which has both free and paid versions). It&#39;s great.</div><div><br></div><div>I know there&#39;s a ton of wonderful work happening at the minute to improve underlying scaffolding + specification to enable tools other than setuptools + pip to thrive, so maybe this is the wrong moment, but I figured I&#39;d ask anyways :) -- what are opinions on running a similar thing during pip install?</div><div><br></div><div>-J</div></div>
</blockquote></div>