Hi friends, Am Dwayne in security for <Color> a he...
# welcome
Hi friends, Am Dwayne in security for Color a healthcare company. Anyone able to find opensource vulnerability scanners that fit snugly ;- with Pants? i.e is mostly compatible with Pants
๐Ÿ‘‹ 4
We're considering a workaround with an accommodating vendor, but wouldn't mind seeing other mature options.
hello! Pants has support for Bandit for Python already, which is a great tool
๐Ÿ˜€ 1
๐Ÿ™๐Ÿพ 1
there's also been interest in hooking up with
. Imo the biggest issue there is trying to figure out how to model it, since it should never be cached unlike most linters -- you need to check every time for new advisories. I think @wide-midnight-78598 proposed an
goal, which I liked
which tools are you interested in?
Awesome, about Bandit. I'll add that one to my list. One tool we're looking at is being transparent about being willing to develop a workaround for us.
Oh I just read the docs and am seeing Bandit being useful for 1st party code, not 3rd party libraries. Guess I'll need more luck.
Interesting! Does snyk have a cli interface for Pants to invoke? Trying to see how Pants would fit in
E.g., what the โ€œnormalโ€ snyk workflow looks like
Yes the tool has CLI interface, but @rough-appointment-4678 is from the company in this room so he likely would describe the interface even more clearly.
That would be great
I can share the way we use GHA to run pip-audit by exporting the lock file and running pip-audit on it: https://gist.github.com/asherf/d969a96b03c45e114ca9303e77e49d61
Thanks that sounds useful! ๐Ÿ˜‡
@happy-kitchen-89482 @polite-garden-50641 - Snyk CLI typically utilizes the underlying package manager to build a full transitive dependency graph to query against our API and report on vulnerabilities. In the case of python, we depend on something like
python -m pip install -r requirements.txt
to be run for us to analyze the packages installed and for us to understand the transitive dependency graph. With git integrations, Snyk parses the manifest files (requirements.txt, package.json, etc.) to build a dep graph and report on vulnerabilities.
W Bazel, a lot of prospects just utilize our API to provide a graph of vulnerabilities and to be returned a list of vulnerabilities. It isn't as ideal as the workflows via the CLI or git integrations unfortunately
Makes sense
Pants can provide that transitive graph
a la pip
Can you point me to the relevant cli docs?
Yup! Happy to jump on a call to chat about it too. You'll want to create an account at app.snyk.io then install the snyk cli, authenticate by running
snyk auth
, then run something like
snyk test
on a project. Here's a link to our documentation further. And a link to some python specific stuff here and here
@polite-garden-50641 - does the script you share generate something w the format of a
with hashes (assuming you are using pant pex lock files https://www.pantsbuild.org/docs/python-third-party-dependencies#pex-vs-poetry-for-lockfile-generation). looks something like that: