https://pantsbuild.org/ logo
Powered by
#welcome
Title
# welcome
e

echoing-dog-45865

10/07/2022, 10:47 PM
Hi friends, Am Dwayne in security for Color a healthcare company. Anyone able to find opensource vulnerability scanners that fit snugly ;- with Pants? i.e is mostly compatible with Pants
๐Ÿ‘‹ 4
We're considering a workaround with an accommodating vendor, but wouldn't mind seeing other mature options.
h

hundreds-father-404

10/07/2022, 10:53 PM
hello! Pants has support for Bandit for Python already, which is a great tool
๐Ÿ˜€ 1
๐Ÿ™๐Ÿพ 1
there's also been interest in hooking up with 
pip-audit
. Imo the biggest issue there is trying to figure out how to model it, since it should never be cached unlike most linters -- you need to check every time for new advisories. I think @wide-midnight-78598 proposed an 
audit
goal, which I liked
which tools are you interested in?
e

echoing-dog-45865

10/07/2022, 10:55 PM
Awesome, about Bandit. I'll add that one to my list. One tool we're looking at is being transparent about being willing to develop a workaround for us.
Oh I just read the docs and am seeing Bandit being useful for 1st party code, not 3rd party libraries. Guess I'll need more luck.
h

happy-kitchen-89482

10/08/2022, 1:24 AM
Interesting! Does snyk have a cli interface for Pants to invoke? Trying to see how Pants would fit in
E.g., what the โ€œnormalโ€ snyk workflow looks like
e

echoing-dog-45865

10/08/2022, 4:23 AM
Yes the tool has CLI interface, but @rough-appointment-4678 is from the company in this room so he likely would describe the interface even more clearly.
h

happy-kitchen-89482

10/09/2022, 6:45 AM
That would be great
p

polite-garden-50641

10/10/2022, 2:25 PM
I can share the way we use GHA to run pip-audit by exporting the lock file and running pip-audit on it: https://gist.github.com/asherf/d969a96b03c45e114ca9303e77e49d61
e

echoing-dog-45865

10/10/2022, 4:57 PM
Thanks that sounds useful! ๐Ÿ˜‡
r

rough-appointment-4678

10/11/2022, 4:56 PM
@happy-kitchen-89482 @polite-garden-50641 - Snyk CLI typically utilizes the underlying package manager to build a full transitive dependency graph to query against our API and report on vulnerabilities. In the case of python, we depend on something like 
python -m pip install -r requirements.txt
to be run for us to analyze the packages installed and for us to understand the transitive dependency graph. With git integrations, Snyk parses the manifest files (requirements.txt, package.json, etc.) to build a dep graph and report on vulnerabilities.
W Bazel, a lot of prospects just utilize our API to provide a graph of vulnerabilities and to be returned a list of vulnerabilities. It isn't as ideal as the workflows via the CLI or git integrations unfortunately
h

happy-kitchen-89482

10/11/2022, 4:57 PM
Makes sense
Pants can provide that transitive graph
a la pip
Can you point me to the relevant cli docs?
r

rough-appointment-4678

10/11/2022, 5:22 PM
Yup! Happy to jump on a call to chat about it too. You'll want to create an account at app.snyk.io then install the snyk cli, authenticate by running 
snyk auth
, then run something like 
snyk test
on a project. Here's a link to our documentation further. And a link to some python specific stuff here and here
@polite-garden-50641 - does the script you share generate something w the format of a 
requirements.txt
file?
p

polite-garden-50641

10/11/2022, 5:48 PM
yes.
with hashes (assuming you are using pant pex lock files https://www.pantsbuild.org/docs/python-third-party-dependencies#pex-vs-poetry-for-lockfile-generation). looks something like that:
4 Views
Powered by