https://pantsbuild.org/ logo
Join Slack
Powered by
Hi friends, Am Dwayne in security for <Color> a he...
# welcome
e
Hi friends, Am Dwayne in security for Color a healthcare company. Anyone able to find opensource vulnerability scanners that fit snugly ;- with Pants? i.e is mostly compatible with Pants
๐Ÿ‘‹ 4
We're considering a workaround with an accommodating vendor, but wouldn't mind seeing other mature options.
h
hello! Pants has support for Bandit for Python already, which is a great tool
๐Ÿ˜€ 1
๐Ÿ™๐Ÿพ 1
there's also been interest in hooking up with 
pip-audit
. Imo the biggest issue there is trying to figure out how to model it, since it should never be cached unlike most linters -- you need to check every time for new advisories. I think @wide-midnight-78598 proposed an 
audit
goal, which I liked
which tools are you interested in?
e
Awesome, about Bandit. I'll add that one to my list. One tool we're looking at is being transparent about being willing to develop a workaround for us.
Oh I just read the docs and am seeing Bandit being useful for 1st party code, not 3rd party libraries. Guess I'll need more luck.
h
Interesting! Does snyk have a cli interface for Pants to invoke? Trying to see how Pants would fit in
E.g., what the โ€œnormalโ€ snyk workflow looks like
e
Yes the tool has CLI interface, but @rough-appointment-4678 is from the company in this room so he likely would describe the interface even more clearly.
h
That would be great
p
I can share the way we use GHA to run pip-audit by exporting the lock file and running pip-audit on it: https://gist.github.com/asherf/d969a96b03c45e114ca9303e77e49d61
e
Thanks that sounds useful! ๐Ÿ˜‡
r
@happy-kitchen-89482 @polite-garden-50641 - Snyk CLI typically utilizes the underlying package manager to build a full transitive dependency graph to query against our API and report on vulnerabilities. In the case of python, we depend on something like 
python -m pip install -r requirements.txt
to be run for us to analyze the packages installed and for us to understand the transitive dependency graph. With git integrations, Snyk parses the manifest files (requirements.txt, package.json, etc.) to build a dep graph and report on vulnerabilities.
W Bazel, a lot of prospects just utilize our API to provide a graph of vulnerabilities and to be returned a list of vulnerabilities. It isn't as ideal as the workflows via the CLI or git integrations unfortunately
h
Makes sense
Pants can provide that transitive graph
a la pip
Can you point me to the relevant cli docs?
r
Yup! Happy to jump on a call to chat about it too. You'll want to create an account at app.snyk.io then install the snyk cli, authenticate by running 
snyk auth
, then run something like 
snyk test
on a project. Here's a link to our documentation further. And a link to some python specific stuff here and here
@polite-garden-50641 - does the script you share generate something w the format of a 
requirements.txt
file?
p
yes.
with hashes (assuming you are using pant pex lock files https://www.pantsbuild.org/docs/python-third-party-dependencies#pex-vs-poetry-for-lockfile-generation). looks something like that:
4 Views
Open in Slack
PreviousNext
Powered by