Today, the pip-audit tool was released on PyPI. It's a Python tool that uses the Python Packaging Advisory Database (or alternative databases) to check for known vulnerabilities in 3rd-party dependencies.
This would be a useful tool to be able to run against a Pants repo -- a new goal could scan for known vulnerabilities in dependency chains across multiple languages, as the tooling becomes available for those languages.
Seems like this can fit into check (not lint). Probably run directly on python_requirement targets so you can do something like ./pants check 3rdparty/python::
Today, the
pip-audit
tool was released on PyPI. It's a Python tool that uses the Python Packaging Advisory Database (or alternative databases) to check for known vulnerabilities in 3rd-party dependencies.This would be a useful tool to be able to run against a Pants repo -- a new goal could scan for known vulnerabilities in dependency chains across multiple languages, as the tooling becomes available for those languages.