vet 0.1.1.post4

A poetry plugin for establishing chain of trust

vet

A poetry plugin for establishing chain of trust
Inspired by cargo-vet

Installation

Depending on how you installed poetry, you may need to install vet in a different way.

If you used the self-installer:

poetry self add vet

If you used pipx:

pipx inject poetry vet

If you used pip:

pip install vet

For more information and troubleshooting, see the poetry plugin installation docs.

Usage

Initialization

Initialize vet in your project:

poetry vet init

This will create a chain-of-trust directory in your project. See the generated README for more information on how to configure vet.

Running checks

To audit your project dependencies, run:

poetry vet

Dependencies are trusted to be either safe to run or safe to deploy. Upon initialization, all dependencies in the poetry.lock file are exempt, deemed safe to run.

To vet dependencies as safe to deploy, run:

poetry vet --safe-to-deploy

For an example of how to run vet in GitHub CI, see the ci.yml file in this repository.

Importing Audits

Modify the config.toml file as per the example in the generated README.

Then run:

poetry vet lock

This will download the audits from the trusted sources specified in the config.toml file and store them in the import.lock file.

Auditing

Audit dependencies manually by adding entries in the audits.toml file as per the example in the generated README.

Background

This was thrown together in an afternoon; after the xz backdoor I thought we need better visibility into our dependency trees.