GitHub Community

python CVE scanning #14099

Answered by jhutchings1

mcandre asked this question in Code Security

python CVE scanning #14099

Apr 2, 2022

· 1 comments · 1 reply

Answered by jhutchings1 Return to top

mcandre
Apr 2, 2022

There's a FOSS CLI tool for this called "safety". dependabot should start scanning Python projects for CVE's.

Check both requirements.txt and requirements-dev.text.

Answered by jhutchings1

Thanks for your suggestion. Dependabot already supports Python today. We don't alert on requirements-dev, but we do support requirements.txt. https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems

View full answer

Replies: 1 comment 1 reply

jhutchings1
Apr 11, 2022

Thanks for your suggestion. Dependabot already supports Python today. We don't alert on requirements-dev, but we do support requirements.txt. https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph#supported-package-ecosystems

1 reply

mcandre Apr 11, 2022
Author

The request is for requirements-dev.txt. This ensures that buildtime environments remain free of malware.

Answer selected by jhutchings1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment