Skip to main content

Utilities for integrating Phylum into CI pipelines

Project description

phylum-ci

PyPI PyPI - Status PyPI - Python Version GitHub GitHub issues GitHub last commit GitHub Workflow Status (branch) Contributor Covenant pre-commit Poetry Code style: black Downloads Discord

Utilities for integrating Phylum into CI pipelines

Installation and usage

Installation

The phylum Python package is pip installable for the environment of your choice:

pip install phylum

It can also be installed in an isolated environment with the excellent pipx tool:

# Globally install the app(s) on your system in an isolated virtual environment for the package
pipx install phylum

# Use the apps from the package in an ephemeral environment
pipx run --spec phylum phylum-init <options>
pipx run --spec phylum phylum-ci <options>

These installation methods require Python 3.9+ to run. For a self contained environment, consider using the Docker image as described below.

A Windows binary, phylum-ci.exe, is offered as a release artifact and does not require Python to run. Simply download the latest version and run it to access the same phylum-ci script entry point features.

Usage

The phylum Python package exposes its functionality with a command line interface (CLI). To view the options available from the CLI, print the help message from one of the scripts provided as entry points:

phylum-init -h
phylum-ci -h

The functionality can also be accessed by calling the module:

python -m phylum.init -h
python -m phylum.ci -h

The functionality is also exposed in the form of a Docker image:

# Get the `latest` tagged image
docker pull phylumio/phylum-ci

# View the help
docker run --rm phylumio/phylum-ci phylum-ci --help

# Export a Phylum token (e.g., from `phylum auth token`)
export PHYLUM_API_KEY=$(phylum auth token)

# Run it from a git repo directory containing at least one supported lockfile or manifest
docker run -it --rm -e PHYLUM_API_KEY --mount type=bind,src=$(pwd),dst=/phylum -w /phylum phylumio/phylum-ci

The default Docker image contains git and the installed phylum Python package. It also contains an installed version of the Phylum CLI and all required tools needed for lockfile generation. An advantage of using the default Docker image is that the complete environment is packaged and made available with components that are known to work together.

One disadvantage to the default image is it's size. It can take a while to download and may provide more tools than required for your specific use case. Special slim tags of the phylum-ci image are provided as an alternative. These tags differ from the default image in that they do not contain the required tools needed for lockfile generation (with the exception of the pip tool). The slim tags are significantly smaller and will allow integrations relying on them to complete faster. They are useful for those instances where no manifest files are present and/or only lockfiles are used.

# Get the "latest" `slim` tagged image
docker pull phylumio/phylum-ci:slim

When using the latest tagged image, the version of the Phylum CLI is the latest available. There are additional image tag options available to specify a specific release of the phylum-ci project and a specific version of the Phylum CLI, in the form of <phylum-ci version>-CLIv<Phylum CLI version>. Each of these also has a -slim variant that does not support lockfile generation. Here are image tag examples:

# Get the most current release of *both* `phylum-ci` and the Phylum CLI
docker pull phylumio/phylum-ci:latest

# Get the image with `phylum-ci` version 0.44.1 and Phylum CLI version 6.6.0
docker pull phylumio/phylum-ci:0.44.1-CLIv6.6.0

# Get the `slim` image with `phylum-ci` version 0.47.0 and Phylum CLI version 6.6.4
docker pull phylumio/phylum-ci:0.47.0-CLIv6.6.4-slim

phylum-init Script Entry Point

The phylum-init script can be used to fetch and install the Phylum CLI. It will attempt to install the latest released version of the CLI but can be specified to fetch a specific version. It will attempt to automatically determine the correct CLI release, based on the platform where the script is run, but a specific release target can be specified. It will accept a Phylum token from an environment variable or specified as an option, but will also function in the case that no token is provided. This can be because there is already a token set that should continue to be used or because no token exists and one will need to be manually created or set, after the CLI is installed.

The options for phylum-init, automatically updated to be current for the latest release:

HINT: Click on the image to bring up the SVG file, which should allow for search and copy/paste functionality.

phylum-init options

phylum-ci Script Entry Point

The phylum-ci script is for analyzing dependency file (lockfiles and manifests) changes. The script can be used locally or from within a Continuous Integration (CI) environment. It will attempt to detect the CI platform based on the environment from which it is run and act accordingly. The current CI platforms/environments supported are:

Platform/Environment Information Link
GitHub Actions Documentation
GitLab CI Documentation
Azure Pipelines Documentation
Bitbucket Pipelines Documentation
Jenkins Pipelines Documentation
Git pre-commit Hooks Documentation

There is also support for local use. This is the "fall-through" case used when no other environment is detected. This can be useful to analyze dependency files locally, prior to or after submitting a pull/merge request (PR/MR) to a CI system. It can also help in establishing a successful submission prior to submitting a PR/MR to a CI system. Additionally, local use can aid troubleshooting after submitting a PR/MR to a CI system and getting unexpected results.

The options for phylum-ci, automatically updated to be current for the latest release:

HINT: Click on the image to bring up the SVG file, which should allow for search and copy/paste functionality.

phylum-ci options

Exit Codes

The phylum-init script entry point will return a zero (0) exit code when it completes successfully and a one (1) otherwise.

The phylum-ci script entry point will return a zero (0) exit code when it completes successfully or one of the following non-zero codes otherwise:

Exit Code Meaning
1 Default failure code. An unrecoverable error was encountered.
2 Phylum analysis is complete and contains a policy violation.
6 Phylum analysis is incomplete and contains a policy violation.
10 Dependency file(s) failed filtering and excluded from analysis. See this FAQ for more.
11 No dependency files were provided or detected.
20 A manifest is attempted to be parsed but lockfile generation has been disabled.

License

Copyright (C) 2022 Phylum, Inc.

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License or any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/gpl.html or write to phylum@phylum.io or engineering@phylum.io

Contributing

Suggestions and help are welcome. Feel free to open an issue or otherwise contribute. More information is available on the contributing documentation page.

Code of Conduct

Everyone participating in the phylum-ci project, and in particular in the issue tracker and pull requests, is expected to treat other people with respect and more generally to follow the guidelines articulated in the Code of Conduct.

Security Disclosures

Found a security issue in this repository? See the security policy for details on coordinated disclosure.

Change log

All notable changes to this project are documented in the CHANGELOG.

The format of the change log is based on Keep a Changelog, and this project adheres to Semantic Versioning. The entries in the changelog are primarily automatically generated through the use of conventional commits and the Python Semantic Release tool. However, some entries may be manually edited, where it helps for clarity and understanding.

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

phylum-0.50.0.tar.gz (83.8 kB view details)

Uploaded Source

Built Distribution

phylum-0.50.0-py3-none-any.whl (91.2 kB view details)

Uploaded Python 3

File details

Details for the file phylum-0.50.0.tar.gz.

File metadata

  • Download URL: phylum-0.50.0.tar.gz
  • Upload date:
  • Size: 83.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.10.12 Linux/6.8.0-1014-azure

File hashes

Hashes for phylum-0.50.0.tar.gz
Algorithm Hash digest
SHA256 5bb0868df813e4bbb0db8508e8a1aab3bc5eab3b8e5f3cfb2fa18d434166c2b1
MD5 96c364b9dc35b1b46ae5dfda930c7c89
BLAKE2b-256 80fd9a15832325c0a94be48307b3712c5f58a670d12fbe6116a9ac7dbb1dc4c2

See more details on using hashes here.

File details

Details for the file phylum-0.50.0-py3-none-any.whl.

File metadata

  • Download URL: phylum-0.50.0-py3-none-any.whl
  • Upload date:
  • Size: 91.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.8.3 CPython/3.10.12 Linux/6.8.0-1014-azure

File hashes

Hashes for phylum-0.50.0-py3-none-any.whl
Algorithm Hash digest
SHA256 04041319565bcb203640ceb5d61cee682c60599ade7820cd87157cb978299661
MD5 5b2467258c2f41086c2b4de0991c443f
BLAKE2b-256 82c112816df446f40f6f46c8e98972d40bac6fef9f844426e42559541dff009f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page