Provide environment variables for CLI option defaults

[bittner]

Pre-submission checks

• [X] I am not reporting a new vulnerability or requesting a new vulnerability identifier. These must be reported or managed via upstream dependency sources or services, not this repository.
• [X] I agree to follow the PSF Code of Conduct.
• [X] I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

Currently, we can only use command line options to configure behavior of pip-audit. There is no way to configure its behavior once and retain the configuration for follow-up runs.

Describe the solution you'd like

Every CLI option should have its default value configurable via an environment variable (following an easy-to-remember naming scheme). Using a CLI option should take precedence over any such value.

This way, in a terminal one could use export PIP_AUDIT_...=.... In the YAML file of popular CI systems one could set environment variables in the respective ENVIRONMENT section or similar.

Example Implementation

parser.add_argument("-f", "--format", default=os.environ.get("PIP_AUDIT_FORMAT", "columns"))
parser.add_argument("-o", "--output", default=os.environ.get("PIP_AUDIT_OUTPUT", "stdout"))
parser.add_argument("--progress-spinner", default=os.environ.get("PIP_AUDIT_PROGRESS_SPINNER", "on"))
parser.add_argument("--timeout", default=os.environ.get("PIP_AUDIT_TIMEOUT", "15"))

Additional context

This suggestion would be complementary to #694, but quicker, easier and more straight-forward to implement as it is without the complexity of reading a configuration file.

[woodruffw]

Thanks for the feature request @bittner!

I have no objection to environment variables for fallbacks here, with two qualifications:

1. We should probably only do this for flags that are "solely" pip-audit flags, i.e. not ones that overlap with pip. For flags that overlap with pip, we should respect whatever environment variables pip already respects (we might do this transitively already).
2. We probably don't want environmental defaults for things like -r requirements.txt, since having those kinds of inputs passed via the environment makes the overall command's behavior harder to diagnose (especially in bug reports). Instead, it should only be for "knob" inputs, i.e. bools, selections, ints.

[bittner]

@woodruffw I sympathize with your reasoning. It requires more care and effort, though, w.r.t. documenting the CLI options.

I started a PR that adds a few environment variables for overriding the CLI option defaults. I'd be happy if you could verify whether the ones are covered that you thought should be used, and those omitted you didn't want to be covered.

[woodruffw]

I started a PR that adds a few environment variables for overriding the CLI option defaults. I'd be happy if you could verify whether the ones are covered that you thought should be used, and those omitted you didn't want to be covered.

Awesome, thank you! I'll take a look in a bit.