Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/lucas-c/pre-commit-hooks-safety

A pre-commit hook to check your Python dependencies against safety-db
https://github.com/lucas-c/pre-commit-hooks-safety

git-hooks pre-commit python safety-db security

Last synced: about 2 months ago
JSON representation

A pre-commit hook to check your Python dependencies against safety-db

Awesome Lists containing this project

README 

        
[![build status](https://github.com/Lucas-C/pre-commit-hooks-safety/workflows/build/badge.svg)](https://github.com/Lucas-C/pre-commit-hooks-safety/actions?query=branch%3Amaster)



A [pre-commit](http://pre-commit.com) hook to check your Python dependencies against [safety-db](//github.com/pyupio/safety-db).



It checks all files containing `requirements` in their name in the repo.



Releases details: [CHANGELOG.md](CHANGELOG.md)



Note that **telemetry data will be sent with every Safety call**. These data are anonymous and not sensitive. This includes the Python version, the Safety command used (check/license/review), and the Safety options used (without their values). Users can disable this functionality by adding the `--disable-optional-telemetry` flag.



## Usage

```yaml

-   repo: https://github.com/Lucas-C/pre-commit-hooks-safety

    rev: v1.4.0

    hooks:

    -   id: python-safety-dependencies-check

```



## How to Use Arguments

There are a few different arguments that this hook will accept.



The first is the `files` argument. Simply put which file your dependencies are listed in.

```yaml

-   repo: https://github.com/Lucas-C/pre-commit-hooks-safety

    rev: v1.4.0

    hooks:

    -   id: python-safety-dependencies-check

        files: pyproject.toml

```

The next is the `--ignore` flag. This will ignore a comma separated list of known security issues. For example

```yaml

-   repo: https://github.com/Lucas-C/pre-commit-hooks-safety

    rev: v1.4.0

    hooks:

    -   id: python-safety-dependencies-check

        args: ["--ignore=39153,39652"]

```

The `--groups` flag will allow you to select additional dependency groups, other than the implicit main group. An example:

```yaml

-   repo: https://github.com/Lucas-C/pre-commit-hooks-safety

    rev: v1.4.0

    hooks:

    -   id: python-safety-dependencies-check

        args: ["--groups=dev,test"]

```

You can also select between `--full-report` and `--short-report`. By default, safety will use the `--full-report` flag so you can omit it for cleaner code.

```yaml

-   repo: https://github.com/Lucas-C/pre-commit-hooks-safety

    rev: v1.4.0

    hooks:

    -   id: python-safety-dependencies-check

        files: pyproject.toml

        args: ["--short-report"]

```

This will remove the extra detail about what vulnerability was fixed. This can be useful if multiple issues are found and you want to read through less text.

Of course these can be used in any combination with each other as needed.



For more information look at the [pre-commit](https://pre-commit.com/#passing-arguments-to-hooks) documentation. There you can find some more thorough examples.

You may for example want to use `always_run: true` in order to systematically run this hook, even when no dependency files have been modified.



## Supported files



`requirements` files are supported with any ending (e.g. .txt) and you can pass multiple files to be checked.



`pyproject.toml` files are only supported with a single file per invocation. If you have subpackages with one `pyproject.toml` in each, you need to invoke the hook multiple times.



Currently [`poetry`](https://python-poetry.org/) is the only supported package manager for `pyproject.toml` files.

When using a `pyproject.toml` file you need to have [`poetry`](https://python-poetry.org/) in your `PATH`, and have at least version 1.2 installed, as well as [`poetry-plugin-export`](https://python-poetry.org/docs/cli/#export).



A mix of both file types is not supported.



## Alternative local hook

You'll need to `pip install safety` beforehand:

```yaml

-   repo: local

    hooks:

    -   id: python-safety-dependencies-check

        name: safety

        entry: safety

        args: [check, --full-report, --file]

        language: system

        files: requirements

```



## Development



### Setup



    pip install -U -r dev-requirements.txt

    pre-commit install



### Releasing



1. Bump version in `setup.py`, `.pre-commit-config.yaml`, in a new section in `CHANGELOG.md`, and in all occurences of `rev:` in this `README.md` file.

2. `git commit -nam "Release $version" && git push && git tag $version && git push --tags`

3. Create a GitHub release