Open ZeerDonker opened 2 years ago
woodruffw
commented
2 years ago Thanks for the feature request!
Yes, I think we ultimately want to support this functionality -- pip-audit should accept most of the same index/mirror flags as pip, in part so that our eventual integration with pip (#335) is as smooth as possible.
woodruffw
commented
2 years ago (That being said, we should also make sure that people understand that completely overriding the default package index doesn't change the fact that pip-audit uses pypi.org for vulnerability results, since those requests are not standardized by any current PEP.)
rawouter
commented
1 year ago Is this one still on the roadmap? I'm running into this issue as we're running with a mirror index in a kubernetes cluster which is using cluster address.
woodruffw
commented
1 year ago It's still planned, but we don't currently have anybody allocated to work on it. Now that we use pip as our backend for everything it should be pretty easy to do, however 🙂
If you feel like taking a stab at this, we would greatly appreciate it! Otherwise, we can't guarantee a timeline for it.
Is your feature request related to a problem? Please describe.
Private repositories might have alternative certificates. Easily using an extra or alternative index, such as with --extra-index-url of pip-audit might thus fail, if pip-audit can't find that.
Describe the solution you'd like
Pip itself has the following optional arguments it can use. Pip-audit having the same functionality would be nice.
--trusted-host Mark this host or host:port pair as trusted, even though it does not have valid or any
HTTPS.
--cert Path to PEM-encoded CA certificate bundle. If provided, overrides the default. See 'SSL
Certificate Verification' in pip documentation for more information.