Support custom PyPI registries in Dependency Scanning
Problem to solve
Allow custom PyPI registries to be used in Dependency Scanning by supporting PIP_INDEX_URL
and PIP_EXTRA_INDEX_URL
environment variables.
Intended users
Proposal
-
Add PIP_INDEX_URL
andPIP_EXTRA_INDEX_URL
to our vendored template to pass them down to the analyzers. See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30704 - [-]
leverage these variables in the gemnasium-python analyzerThese variables should be automatically leveraged by pip command, no need for any addition in the analyzer's code.
Documentation
-
add these variables to dependency scanning documentation. We probably need to specify that only the gemnasium-python
analyzer is supporting this option. See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30704
Testing
-
find relevant test projects and make sure pipelines pass.Test manually by forcing these variables to wrong values, see https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/30704
What does success look like, and how can we measure that?
Customers can leverage custom PyPI registries.
What is the type of buyer?
Links / references
Edited by Fabien Catteau