-
-
Notifications
You must be signed in to change notification settings - Fork 606
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add backend for pip-audit #16288
base: main
Are you sure you want to change the base?
Add backend for pip-audit #16288
Conversation
) | ||
requirements_digest = await Get( | ||
Digest, | ||
CreateDigest([FileContent("requirements.txt", requirements_str.encode())]), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if this file will cause collisions in Pants' cache when multiple partitions are used or if the build root has a file with the same name?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks so much for prototyping this! Extremely useful functionality.
This PR raises some big design questions for Pants:
- Should this live in
check
orlint
? According to Slack discussion led by @thejcannon and me last week, we think that the definition ofcheck
should likely be "lightest form of compilation, or type checking". Everything else islint
. So, this should belint
technically -- but that's annoying to run this heavy-weight thing every time you do./pants lint ::
... - This runs on individual targets, and it will also leave off transitive dependencies + hashes like you mention. Really, what I think we want to run on is the entire lockfile for a resolve.
The simplest way we could do this is a goal like experimental-pip-audit
, which similar to generate-lockfiles
does not take Specs
and instead has a --resolve
option (with default to all).
But we should decide if we want pip-audit to live instead in a goal like lint
or check
? We could so something like "running on one target belonging to a resolve -> check the whole resolve".
Note that others have requested things like #15723. There is demand for a "resolve-specific lint/check interface"
class SkipPipAuditField(BoolField): | ||
alias = "skip_pip_audit" | ||
default = False | ||
help = "If true, don't run pip-audit on this target's code." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
help = "If true, don't run pip-audit on this target's code." | |
help = "If true, don't run pip-audit on this requirement." |
Can we maybe look into optional goals? So a goal only appears if you have installed a relevant plugin? In that case I could see an It's not a fast code-related-tool goal, but a heavier metadata-and-friends goal. Audit your deps, maybe do expensive code scanning, etc... |
We have that already :) pants/src/python/pants/core/goals/test.py Lines 310 to 312 in 40e1790
|
[ci skip-rust] [ci skip-build-wheels]
# Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
# Rust tests and lints will be skipped. Delete if not intended. [ci skip-rust] # Building wheels and fs_util will be skipped. Delete if not intended. [ci skip-build-wheels]
This PR adds a backend for pip-audit during the
check
goal.Fixes #13770.