GitHub Python dependency check practical details

In July 2018, GitHub enabled Python dependency graph security checks that have previously been successfully employed for Ruby and JavaScript. This functionality does NOT directly scan your code for security issues. Rather, the MITRE CVE List is checked vs. your GitHub repo’s dependencies.

What GitHub scans for Python dependencies

Here comes a key initial limitation of GitHub’s checks, which we believe can be greatly enhanced by trivial upgrades on GitHub’s part. As of this writing, GitHub only looks to requirements.txt and Pipfile.lock for dependencies. setup.py is partially supported by GitHub’s security scan, but is not yet reliable as of this writing. The issue with that is, Python can use several other means to specify dependencies.

Notes

  • requirements.txt is not used on many popular Python packages.
  • Pipfile.lock generation currently requires separate installation of pipenv
  • setup.cfg is part of setuptools, which essentially every Python user has from the factory.
  • setup.cfg can nearly entirely replace setup.py
  • we have asked GitHub to do the trivial parsing of setup.cfg install_requires.

Tags:

Categories:

Comments

Written by Michael Hirsch, Ph.D. //