Dependency scanning for Python should support files other than just requirements.txt
Problem to solve
Our teams use requirements files that can be named like:
requirements/production.txt, and so on. These seem to be impossible to scan with dependency scanning currently.
Add a way to specify all the requirements files from a repo. Not sure how, exactly.
Update gemnasium-python analyzer to use the
PIP_REQUIREMENTS_FILE(To be confirmed) env variable and use it as the source of dependencies to scan.
- Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer
- Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS as we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings
This can be tested against our
python-pip test projects (there might be others too).
What does success look like, and how can we measure that?
A repo that installs
requests=~2.0.0 as specified in
any.txt should have a security issue reported by gitlab.