Closed stephendonner closed 5 years ago
Can I get some context on this switch? Our secops team has preferred pyup in the past
Can I get some context on this switch? Our secops team has preferred pyup in the past
pyup.io doesn't have full support for Pipfile.lock
, so it will update a dependency without considering transient dependency version/platform restraints. As we're using pipenv and Pipfiles, Dependabot provides a more robust and complete solution.
I checked with secops and they have no issue with this change, but respectfully ask if you would also do as described here: https://pipenv.readthedocs.io/en/latest/advanced/#generating-a-requirements-txt
@ckolos I don't have a problem with that request, sure.
Questions:
1) can you point to an example where this is done for a Mozilla project? Just trying to get a sense of the workflow 2) do you want the resulting requirements.txt in-tree? 3) generated before merge time of PRs, such as these, which change requirements/dependencies, and then checked it alongside the Pipfile/Pipfile.lock?
Thanks again!
I'm curious why this is being asked for? We're not using a requirements.txt, so what purpose would this fulfil? Also, as pipenv does not include hashes in generated requirements files, the resulting requirements file would be less secure than the Pipfile.lock, which includes all hashes.
Sec-wise Dependabot is preferable for this feature: https://dependabot.com/blog/automatically-respond-to-security-advisories/
Secops will run the pyup CLI tool in a jenkins security job and surface any relevant warnings. For that job and to have github's sec. alerts, it would be handy if they could sync and check in the requirements file: https://pipenv.readthedocs.io/en/latest/advanced/#generating-a-requirements-txt
This is what I've been told when asking about enabling this over pyup. I will 302 to secops should you have any objections.
No objections. The requirements.txt can be generated using pipenv lock --requirements
, and this can be passed to pyup's safety check tool as pipenv lock --requirements | safety check
. We could add this as a pre-commit hook, or add it to Travis/Circle CI. If secops would prefer to run this, it should already be possible with pipenv available. Let us know how you'd like us to proceed.
r? @davehunt @tarekziade