Safety Authentication in the shell

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.

https://safetycli.com/product/safety-cli

MIT License

1.66k stars 141 forks source link

Safety Authentication in the shell #525

Closed akshitadixit closed 3 days ago

akshitadixit commented 2 months ago

safety version: 3.2.0
Python version: 3.9.6
Operating System: macOS

Description

I want to be able to use safety in my CI/CD pipeline but if safety auth is going to return a clickable browser authentication url, it will not be feasible. Is there any way to authenticate in the shell itself?

MichaIng commented 1 month ago

The SAFETY_API_KEY environment variable seems to work, or using the --key= CLI option: https://docs.safetycli.com/safety-docs/support/invalid-api-key-error#using-the-safety-api-key-in-safety-cli

yacine-harbi commented 4 weeks ago

--key works with safety check not safety scan if I'm not mistaken.

MichaIng commented 4 weeks ago

Here is an example in the docs where it is used with safety scan: https://docs.safetycli.com/safety-docs/output/detecting-vulnerabilities-and-sharing-results-via-email#command

Also the variable must work, sine it is used in the official GitHub Action with safety scan: https://github.com/pyupio/safety-action/blob/main/entrypoint.sh

--stage cicd likely makes sense as well, but I could not find a hint about exact effect of this. Probably it ignores the test environment and concentrates on the project (source code) and declared dependencies only, while otherwise it checks the current environment as well, interpreting it as the one the project is finally running in. Just an idea which somehow would make sense to me.

yacine-harbi commented 4 weeks ago

Thanks it's working now (I used --key=API_KEY not --key API_KEY). I had to add --stage cicd or I would get "Invalid value: 'api_key' auth type isn't allowed with the 'Stage.development' stage."

MichaIng commented 4 weeks ago

Okay, whatever this "development" stage shall be: Who is doing manual dependency vulnerability checks while coding? Documentation about all of this is missing, or not prominent enough, e.g. searching for stage in the docs does not lead to any other results than examples for --stage cicd usage.

So it is currently not possible to run safety scan without --stage cicd from a non-GUI console?

akshitadixit commented 3 days ago

Thank you so much for the help, forgot to reply promptly, but it worked 🥳