Poetry plugin for checking security vulnerabilities in dependencies
Project description
Poetry Audit Plugin
Poetry plugin for checking security vulnerabilities in dependencies based on safety.
$ poetry audit
Scanning 19 packages...
• ansible-runner installed 1.1.2 affected <1.3.1 CVE PVE-2021-36995
• ansible-tower-cli installed 3.1.8 affected <3.2.0 CVE CVE-2020-1733
• jinja2 installed 2.0 affected <2.11.3 CVE CVE-2020-28493
3 vulnerabilities found
Installation
The easiest way to install the audit plugin is via the self add command of Poetry.
poetry self add poetry-audit-plugin
If you used pipx to install Poetry you can add the plugin via the pipx inject command.
pipx inject poetry poetry-audit-plugin
Otherwise, if you used pip to install Poetry you can add the plugin packages via the pip install command.
pip install poetry-audit-plugin
Available options
--json: Export the result in JSON format.
poetry audit --json
--ignore-code: Ignore some vulnerabilities IDs. Receive a list of IDs. For example:
poetry audit --ignore-code=CVE-2022-42969,CVE-2020-10684
--ignore-package: Ignore some packages. Receive a list of packages. For example:
poetry audit --ignore-package=ansible-tower-cli
--proxy-protocol,--proxy-host,--proxy-port: Proxy to access Safety DB. For example:
poetry audit --proxy-protocol=http --proxy-host=localhost --proxy-port=3128
--cache-sec: How long Safety DB can be cached locally. For example:
poetry audit --cache-sec=60
--db: Path to a local or remote vulnerability database of Safety. For example:
poetry audit --db=/path/to/safety.json
Exit codes
poetry audit will exit with a code indicating its status.
0: Vulnerabilities were not found.1: One or more vulnerabilities were found.- Others: Something wrong happened.
Develop poetry-audit-plugin
You can read this document to setup an environment to develop poetry-audit-plugin.
First step is to install Poetry. Please read official document and install Poetry in your machine.
Then, you can install dependencies of poetry-audit-plugin and activate the environment with the following command.
poetry install
source .venv/bin/activate
Once you've done it, you can start developing poetry-audit-plugin. You can use test assets for the testing.
cd tests/assets/no_vulnerabilities_project
poetry audit
Please lint, format, and test your changes before creating pull request to keep the quality.
./scripts/lint.sh
./scripts/format.sh
./scripts/test.sh
Contribution
Help is always appreciated. Please feel free to create issue and pull request!
License
This project is licensed under the terms of the MIT license.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file poetry_audit_plugin-1.0.0.tar.gz.
File metadata
- Download URL: poetry_audit_plugin-1.0.0.tar.gz
- Upload date:
- Size: 7.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.12.12 Linux/6.11.0-1018-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6810aa9859769bb75ae4b1657b21eaafe111d9f89782eaf5ed686356d2ab67e6
|
|
| MD5 |
35679d1110bfcd14fe0c6573f0bfa37b
|
|
| BLAKE2b-256 |
22de7bbf41ef8354f858959c637bdf11a82b716cd2de4fd845c054b4fa225782
|
File details
Details for the file poetry_audit_plugin-1.0.0-py3-none-any.whl.
File metadata
- Download URL: poetry_audit_plugin-1.0.0-py3-none-any.whl
- Upload date:
- Size: 9.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.2.1 CPython/3.12.12 Linux/6.11.0-1018-azure
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a5ea8e39834e47619ff85ddb9805400ed7bef89307b1887b5b18500cb0a2d258
|
|
| MD5 |
fa674b547bfcd860dbe4dd53c53f542b
|
|
| BLAKE2b-256 |
d5d9ec82728eceeccb36ade9e09b325afa380fd23e14fa1dfc6e51370b7152f6
|
