search

microsoft / vscode-python

Python extension for Visual Studio Code
https://aka.ms/pvsc-marketplace
MIT License
4.29k stars 1.18k forks source link

Add a pip audit command/task #18115

Open tonybaloney opened 2 years ago

tonybaloney commented 2 years ago

I'm looking for a solution to automatically scan the packages in my selected interpreter for a workspace and raise warning/log messages on the UI when there are security vulnerabilities.

pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-db) via the PyPI JSON API as a source of vulnerability reports.

So far, the best I can come up with is a task to run pip-audit on project, but this has to be configured per-project, there is no way I can find to have this for all projects with a configured interpreter.

{
    "version": "2.0.0",
    "tasks": [
        {
            "label": "Pip Audit",
            "type": "shell",
            "command": "${command:python.interpreterPath}",
            "args": ["-m", "pip_audit"],
            "isBackground": true,
            "group": "none",
            "runOptions": {
                "runOn": "folderOpen",
            },
        },
    ]
}

This required a module-entry point for pip-audit, which is implemented but unreleased.

This feature doesn't really fit into the linters integrations, as its not specific to the current file.

Expectations:

  1. I can run an audit task on demand via the command pallette
  2. Task is run on project open
  3. The audit task uses the currently-installed packages in the selected interpreter and reports against the vulnerability database
  4. Use of pip-audit not required, if other solutions are available
karthiknadig commented 2 years ago

Thanks for the feature request! We are going to give the community 60 days from when this issue was created to provide 7 👍 upvotes on the opening comment to gauge general interest in this idea. If there's enough upvotes then we will consider this feature request in our future planning. If there's unfortunately not enough upvotes then we will close this issue.

woodruffw commented 2 years ago

One of the pip-audit authors here: thanks for looking into integrating this so rapidly! We're excited to see editors and IDEs use our tool!

brettcannon commented 2 years ago

Thank you to everyone who upvoted this issue! Since the community showed interest in this feature request we will leave this issue open as something to consider implementing at some point in the future.

We do encourage people to continue 👍 the first/opening comment as it helps us prioritize our work based on what the community seems to want the most.