{"id":18989158,"url":"https://github.com/phylum-dev/phylum-ci","last_synced_at":"2025-04-22T11:09:22.397Z","repository":{"id":37797852,"uuid":"472912934","full_name":"phylum-dev/phylum-ci","owner":"phylum-dev","description":"Python package for handling CI and other integrations","archived":false,"fork":false,"pushed_at":"2025-04-14T19:17:18.000Z","size":2540,"stargazers_count":10,"open_issues_count":8,"forks_count":1,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-14T20:25:42.596Z","etag":null,"topics":["actions","ci","ci-cd","cicd","integrations","package","phylum","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/phylum-dev.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-03-22T19:41:20.000Z","updated_at":"2025-04-14T19:17:21.000Z","dependencies_parsed_at":"2023-12-18T16:56:33.659Z","dependency_job_id":"2eafb935-5a07-4102-9937-4aec3ee9190a","html_url":"https://github.com/phylum-dev/phylum-ci","commit_stats":{"total_commits":305,"total_committers":10,"mean_commits":30.5,"dds":0.5737704918032787,"last_synced_commit":"6e3d99c822f95452ca282ea0fc0f5a18f708ab17"},"previous_names":[],"tags_count":72,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-ci","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-ci/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-ci/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/phylum-dev%2Fphylum-ci/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/phylum-dev","download_url":"https://codeload.github.com/phylum-dev/phylum-ci/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250228205,"owners_count":21395956,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","ci","ci-cd","cicd","integrations","package","phylum","python"],"created_at":"2024-11-08T17:05:27.950Z","updated_at":"2025-04-22T11:09:22.360Z","avatar_url":"https://github.com/phylum-dev.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# phylum-ci\n\n[![PyPI](https://img.shields.io/pypi/v/phylum)](https://pypi.org/project/phylum/)\n![PyPI - Status](https://img.shields.io/pypi/status/phylum)\n[![PyPI - Python Version](https://img.shields.io/pypi/pyversions/phylum)](https://pypi.org/project/phylum/)\n[![GitHub](https://img.shields.io/github/license/phylum-dev/phylum-ci)][license]\n[![GitHub issues](https://img.shields.io/github/issues/phylum-dev/phylum-ci)][issues]\n![GitHub last commit](https://img.shields.io/github/last-commit/phylum-dev/phylum-ci)\n[![GitHub Workflow Status (branch)][workflow_shield]][workflow_test]\n[![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)][CoC]\n[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)][pre-commit]\n[![Poetry](https://img.shields.io/endpoint?url=https://python-poetry.org/badge/v0.json)][poetry]\n[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)][black]\n[![Downloads](https://static.pepy.tech/badge/phylum/month)][downloads]\n[![Discord](https://img.shields.io/discord/1070071012353376387?logo=discord)][discord_invite]\n\nUtilities for integrating Phylum into CI pipelines\n\n[license]: https://github.com/phylum-dev/phylum-ci/blob/main/LICENSE\n[issues]: https://github.com/phylum-dev/phylum-ci/issues\n[workflow_shield]: https://img.shields.io/github/actions/workflow/status/phylum-dev/phylum-ci/test.yml?branch=main\u0026label=tests\u0026logo=GitHub\n[workflow_test]: https://github.com/phylum-dev/phylum-ci/actions/workflows/test.yml\n[CoC]: https://github.com/phylum-dev/phylum-ci/blob/main/CODE_OF_CONDUCT.md\n[pre-commit]: https://github.com/pre-commit/pre-commit\n[poetry]: https://python-poetry.org/\n[black]: https://github.com/psf/black\n[downloads]: https://pepy.tech/project/phylum\n[discord_invite]: https://discord.gg/Fe6pr5eW6p\n\n## Installation and usage\n\n### Installation\n\nThe `phylum` Python package is pip installable for the environment of your choice:\n\n```sh\npip install phylum\n```\n\nIt can also be installed in an isolated environment with the excellent [`pipx` tool][pipx]:\n\n```sh\n# Globally install the app(s) on your system in an isolated virtual environment for the package\npipx install phylum\n\n# Use the apps from the package in an ephemeral environment\npipx run --spec phylum phylum-init \u003coptions\u003e\npipx run --spec phylum phylum-ci \u003coptions\u003e\n```\n\nThese installation methods require Python 3.10+ to run.\nFor a self contained environment, consider using the Docker image as described below.\n\nWindows binaries are offered as [release artifacts][latest_rels] for a \"standalone\" solution that does not require\nPython or Docker to run. There are two options for this installation method:\n\n* `phylum-ci.zip`\n  * [Download the latest archive version][latest_zip] and extract it\n  * Add the extracted directory to `PATH` or reference the contained `phylum-ci.exe` binary directly\n* `phylum-ci.exe`\n  * [Download the latest executable version][latest_exe] and place this binary on `PATH` or reference it directly\n  * This is a self-extracting executable that adds a version-specific directory in the local user cache\n\nAn advantage to the self-extracting archive is that it is a single file.\nA disadvantage is that the file may trigger AV since it uses a packer and is not digitally signed.\n\nEither Windows \"installation\" method allows access to the same [`phylum-ci` script entry point features][anchor_script].\n\n[pipx]: https://pypa.github.io/pipx/\n[latest_rels]: https://github.com/phylum-dev/phylum-ci/releases/latest\n[latest_zip]: https://github.com/phylum-dev/phylum-ci/releases/latest/download/phylum-ci.zip\n[latest_exe]: https://github.com/phylum-dev/phylum-ci/releases/latest/download/phylum-ci.exe\n[anchor_script]: #phylum-ci-script-entry-point\n\n### Usage\n\nThe `phylum` Python package exposes its functionality with a command line interface (CLI).\nTo view the options available from the CLI, print the help message from one of the scripts provided as entry points:\n\n```sh\nphylum-init -h\nphylum-ci -h\n```\n\nThe functionality can also be accessed by calling the module:\n\n```sh\npython -m phylum.init -h\npython -m phylum.ci -h\n```\n\nThe functionality is also exposed in the form of a Docker image:\n\n```sh\n# Get the `latest` tagged image\ndocker pull phylumio/phylum-ci\n\n# View the help\ndocker run --rm phylumio/phylum-ci phylum-ci --help\n\n# Export a Phylum token (e.g., from `phylum auth token`)\nexport PHYLUM_API_KEY=$(phylum auth token)\n\n# Run it from a git repo directory containing at least one supported lockfile or manifest\ndocker run -it --rm -e PHYLUM_API_KEY --mount type=bind,src=$(pwd),dst=/phylum -w /phylum phylumio/phylum-ci\n```\n\nThe default Docker image contains `git` and the installed `phylum` Python package.\nIt also contains an installed version of the Phylum CLI and all required tools needed for [lockfile generation].\nAn advantage of using the default Docker image is that the complete environment is packaged and made available with\ncomponents that are known to work together.\n\nOne disadvantage to the default image is it's size. It can take a while to download and may provide more tools than\nrequired for your specific use case. Special `slim` tags of the `phylum-ci` image are provided as an alternative.\nThese tags differ from the default image in that they do not contain the required tools needed for [lockfile generation]\n(with the exception of the `pip` tool). The `slim` tags are significantly smaller and will allow integrations relying\non them to complete faster. They are useful for those instances where *no* manifest files are present and/or *only*\nlockfiles are used.\n\n```sh\n# Get the \"latest\" `slim` tagged image\ndocker pull phylumio/phylum-ci:slim\n```\n\nWhen using the `latest` tagged image, the version of the Phylum CLI is the `latest` available.\nThere are additional image tag options available to specify a specific release of the `phylum-ci` project and a specific\nversion of the Phylum CLI, in the form of `\u003cphylum-ci version\u003e-CLIv\u003cPhylum CLI version\u003e`.\nEach of these also has a `-slim` variant that does not support [lockfile generation]. Here are image tag examples:\n\n```sh\n# Get the most current release of *both* `phylum-ci` and the Phylum CLI\ndocker pull phylumio/phylum-ci:latest\n\n# Get the image with `phylum-ci` version 0.44.1 and Phylum CLI version 6.6.0\ndocker pull phylumio/phylum-ci:0.44.1-CLIv6.6.0\n\n# Get the `slim` image with `phylum-ci` version 0.47.0 and Phylum CLI version 6.6.4\ndocker pull phylumio/phylum-ci:0.47.0-CLIv6.6.4-slim\n```\n\n[lockfile generation]: https://docs.phylum.io/cli/lockfile_generation\n\n#### `phylum-init` Script Entry Point\n\nThe `phylum-init` script can be used to fetch and install the Phylum CLI.\nIt will attempt to install the latest released version of the CLI but can be specified to fetch a specific version.\nIt will attempt to automatically determine the correct CLI release, based on the platform where the script is run, but\na specific release target can be specified.\nIt will accept a Phylum token from an environment variable or specified as an option, but will also function in the case\nthat no token is provided. This can be because there is already a token set that should continue to be used or because\nno token exists and one will need to be manually created or set, after the CLI is installed.\n\nThe options for `phylum-init`, automatically updated to be current for the latest release:\n\n\u003e **HINT:** Click on the image to bring up the SVG file, which should allow for search and copy/paste functionality.\n\n![phylum-init options](https://raw.githubusercontent.com/phylum-dev/phylum-ci/main/docs/img/phylum-init_options.svg)\n\n#### `phylum-ci` Script Entry Point\n\nThe `phylum-ci` script is for analyzing dependency file (lockfiles and manifests) changes.\nThe script can be used locally or from within a Continuous Integration (CI) environment.\nIt will attempt to detect the CI platform based on the environment from which it is run and act accordingly.\nThe current CI platforms/environments supported are:\n\n|Platform/Environment|Information Link|\n|--------------------|---------------------|\n|GitHub Actions|[Documentation][github_docs]|\n|GitLab CI|[Documentation][gitlab_docs]|\n|Azure Pipelines|[Documentation][azure_docs]|\n|Bitbucket Pipelines|[Documentation][bb_pipelines_docs]|\n|Jenkins Pipelines|[Documentation][jenkins_docs]|\n|Git `pre-commit` Hooks|[Documentation][precommit_docs]|\n\nThere is also support for local use. This is the \"fall-through\" case used when no other environment is detected.\nThis can be useful to analyze dependency files locally, prior to or after submitting a pull/merge request (PR/MR) to a\nCI system. It can also help in establishing a successful submission prior to submitting a PR/MR to a CI system.\nAdditionally, local use can aid troubleshooting after submitting a PR/MR to a CI system and getting unexpected results.\n\nThe options for `phylum-ci`, automatically updated to be current for the latest release:\n\n\u003e **HINT:** Click on the image to bring up the SVG file, which should allow for search and copy/paste functionality.\n\n![phylum-ci options](https://raw.githubusercontent.com/phylum-dev/phylum-ci/main/docs/img/phylum-ci_options.svg)\n\n[github_docs]: https://docs.phylum.io/phylum-ci/github_actions\n[gitlab_docs]: https://docs.phylum.io/phylum-ci/gitlab_ci\n[azure_docs]: https://docs.phylum.io/phylum-ci/azure_pipelines\n[bb_pipelines_docs]: https://docs.phylum.io/phylum-ci/bitbucket_pipelines\n[jenkins_docs]: https://docs.phylum.io/phylum-ci/jenkins\n[precommit_docs]: https://docs.phylum.io/phylum-ci/git_precommit\n\n### Exit Codes\n\nThe `phylum-init` script entry point will return a zero (0) exit code when it completes successfully and a one (1)\notherwise.\n\nThe `phylum-ci` script entry point will return a zero (0) exit code when it completes successfully or one of the\nfollowing non-zero codes otherwise:\n\n|Exit Code|Meaning|\n|---------|-------|\n|1|Default failure code. An unrecoverable error was encountered.|\n|2|Phylum analysis is complete and contains a policy violation.|\n|5|Phylum analysis is incomplete. Only used when enabled [by option][script_options].|\n|6|Phylum analysis is incomplete and contains a policy violation.|\n|10|Dependency file(s) failed filtering and excluded from analysis. See [this FAQ][FAQ] for more.|\n|11|No dependency files were provided or detected.|\n|12|No dependencies found in any current dependency file.|\n|20|A manifest is attempted to be parsed but lockfile generation has been disabled.|\n\nExit codes of 10 or higher represent situations not directly linked to Phylum analysis. These errors are important\nbecause they indicate a complete Phylum analysis was not possible, which necessitates further investigation. An\n[option is available][script_options] to explicitly prevent these errors from setting an exit code.\n\n[script_options]: #phylum-ci-script-entry-point\n[FAQ]: https://github.com/marketplace/actions/phylum-analyze-pr#why-does-phylum-report-a-failing-status-check-if-it-shows-successful-analysis\n\n## License\n\nCopyright (C) 2022  Phylum, Inc.\n\nThis program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public\nLicense as published by the Free Software Foundation, either version 3 of the License or any later version.\n\nThis program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied\nwarranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.\n\nYou should have received a copy of the GNU General Public License along with this program.\nIf not, see \u003chttps://www.gnu.org/licenses/gpl.html\u003e or write to `phylum@veracode.com` or\n`dl-phylum-engineering@veracode.com`\n\n## Contributing\n\nSuggestions and help are welcome. Feel free to open an issue or otherwise contribute.\nMore information is available on the [contributing documentation][contributing] page.\n\n[contributing]: https://github.com/phylum-dev/phylum-ci/blob/main/CONTRIBUTING.md\n\n## Code of Conduct\n\nEveryone participating in the `phylum-ci` project, and in particular in the issue tracker and pull requests, is\nexpected to treat other people with respect and more generally to follow the guidelines articulated in the\n[Code of Conduct][CoC].\n\n## Security Disclosures\n\nFound a security issue in this repository? See the [security policy][security]\nfor details on coordinated disclosure.\n\n[security]: https://github.com/phylum-dev/phylum-ci/blob/main/docs/security.md\n\n## Change log\n\nAll notable changes to this project are documented in the [CHANGELOG][changelog].\n\nThe format of the change log is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),\nand this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).\nThe entries in the changelog are primarily automatically generated through the use of\n[conventional commits](https://www.conventionalcommits.org) and the\n[Python Semantic Release](https://python-semantic-release.readthedocs.io/en/latest/index.html) tool.\nHowever, some entries may be manually edited, where it helps for clarity and understanding.\n\n[changelog]: https://github.com/phylum-dev/phylum-ci/blob/main/CHANGELOG.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphylum-dev%2Fphylum-ci","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fphylum-dev%2Fphylum-ci","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fphylum-dev%2Fphylum-ci/lists"}