A pre-commit hook to check your Python dependencies against safety-db.
It checks all files containing
requirements in their name in the repo.
Releases details: CHANGELOG.md
Note that telemetry data will be sent with every Safety call. These data are anonymous and not sensitive. This includes the Python version, the Safety command used (check/license/review), and the Safety options used (without their values). Users can disable this functionality by adding the
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety rev: v1.3.1 hooks: - id: python-safety-dependencies-check
How to Use Arguments
There are a few different arguements that this hook will accept.
The first is the
files arguement. Simply put which file your dependancies are listed in.
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety rev: v1.3.1 hooks: - id: python-safety-dependencies-check files: pyproject.toml
The next is the
--ignore flag. This will ignore a comma seperated list of known security issues. For example
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety rev: v1.3.1 hooks: - id: python-safety-dependencies-check args: ["--ignore=39153,39652"]
You can also select between
--short-report. By default safety will use the
--full-report flag so you can omit it for cleaner code.
- repo: https://github.com/Lucas-C/pre-commit-hooks-safety rev: v1.3.1 hooks: - id: python-safety-dependencies-check files: pyproject.toml args: ["--short-report"]
This will remove the extra detail about what vulnerability was fixed. This can be useful if multiple issues are found and you want to read through less text. Of course these can be used in any combination with each other as needed.
For more information look at the pre-commit documentation. There you can find some more thorough examples.
You may for example want to use
always_run: true in order to systematically run this hook, even when no dependency files have been modified.
Alternative local hook
You'll need to
pip install safety beforehand:
- repo: local hooks: - id: python-safety-dependencies-check name: safety entry: safety args: [check, --full-report, --file] language: system files: requirements
pip install -r dev-requirements.txt pre-commit install
- Bump version in this
git commit -nam "Release $version" && git push && git tag $version && git push --tags
- Create a GitHub release