Add backend for pip-audit #16288
Add backend for pip-audit #16288
Conversation
| ) | ||
| requirements_digest = await Get( | ||
| Digest, | ||
| CreateDigest([FileContent("requirements.txt", requirements_str.encode())]), |
There was a problem hiding this comment.
Not sure if this file will cause collisions in Pants' cache when multiple partitions are used or if the build root has a file with the same name?
There was a problem hiding this comment.
Thanks so much for prototyping this! Extremely useful functionality.
This PR raises some big design questions for Pants:
- Should this live in
checkorlint? According to Slack discussion led by @thejcannon and me last week, we think that the definition ofcheckshould likely be "lightest form of compilation, or type checking". Everything else islint. So, this should belinttechnically -- but that's annoying to run this heavy-weight thing every time you do./pants lint ::... - This runs on individual targets, and it will also leave off transitive dependencies + hashes like you mention. Really, what I think we want to run on is the entire lockfile for a resolve.
The simplest way we could do this is a goal like experimental-pip-audit, which similar to generate-lockfiles does not take Specs and instead has a --resolve option (with default to all).
But we should decide if we want pip-audit to live instead in a goal like lint or check? We could so something like "running on one target belonging to a resolve -> check the whole resolve".
Note that others have requested things like #15723. There is demand for a "resolve-specific lint/check interface"
| class SkipPipAuditField(BoolField): | ||
| alias = "skip_pip_audit" | ||
| default = False | ||
| help = "If true, don't run pip-audit on this target's code." |
There was a problem hiding this comment.
| help = "If true, don't run pip-audit on this target's code." | |
| help = "If true, don't run pip-audit on this requirement." |
|
Can we maybe look into optional goals? So a goal only appears if you have installed a relevant plugin? In that case I could see an It's not a fast code-related-tool goal, but a heavier metadata-and-friends goal. Audit your deps, maybe do expensive code scanning, etc... |
We have that already :) pants/src/python/pants/core/goals/test.py Lines 310 to 312 in 40e1790 |
|
|
[ci skip-rust] [ci skip-build-wheels]
# Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
# Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
This PR adds a backend for pip-audit during the
checkgoal.Fixes #13770.