search

prefix-dev / pixi

Package management made easy
https://pixi.sh
BSD 3-Clause "New" or "Revised" License
3.04k stars 168 forks source link

Equivalent to `pip-audit`? #1361

Open asmith26 opened 4 months ago

asmith26 commented 4 months ago

Problem description

Hi,

Just wondering if there any tools for pixi that work like pip-audit, or if there are plans to integrate such a tool directly into pixi?

For reference (from https://pypi.org/project/pip-audit/):

pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-database) via the PyPI JSON API as a source of vulnerability reports.

Thanks!

ruben-arts commented 4 months ago

Hey @asmith26, we sure are discussing this. It would be best for integration purposes if someone (most likely a company) comes to help us with this in the form of an integration partner, as these features are hard to build without proper third-party testing and validation.

If this is something you could help with please let us know!

That said, with conda-forge/pixi we do have the ability to do this very well as we know where and how things are build (conda-forge) and the lock-file describes the packages extremely detailed. So this is not an unsolvable problem. An SBOM is just an extra step in the generation process.