Dependency scanning for Python should support files other than just requirements.txt
Problem to solve
Our teams use requirements files that can be named like: build-requirements.txt
, test-requirements.txt
, docs-requirements.txt
, py2-requirements.txt
, requirements/production.txt
, and so on. These seem to be impossible to scan with dependency scanning currently.
Further details
Proposal
Add a way to specify all the requirements files from a repo. Not sure how, exactly.
Implementation plan
-
Update gemnasium-python analyzer to use the PIP_REQUIREMENTS_FILE
(To be confirmed) env variable and use it as the source of dependencies to scan. -
Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer
Documentation
-
Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS as we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings
Testing
This can be tested against our python-pip
test projects (there might be others too).
What does success look like, and how can we measure that?
A repo that installs requests=~2.0.0
as specified in any.txt
should have a security issue reported by gitlab.
Links / references
Product
Edited by Igor Frenkel