You need to sign in or sign up before continuing.
Dependency scanning for Python should support files other than just requirements.txt
Problem to solve
Our teams use requirements files that can be named like: build-requirements.txt
, test-requirements.txt
, docs-requirements.txt
, py2-requirements.txt
, requirements/production.txt
, and so on. These seem to be impossible to scan with dependency scanning currently.
Further details
Proposal
Add a way to specify all the requirements files from a repo. Not sure how, exactly.
Implementation plan
-
Update gemnasium-python analyzer to use the PIP_REQUIREMENTS_FILE
(To be confirmed) env variable and use it as the source of dependencies to scan. -
Update the vendored template Dependency-Scanning.gitlab-ci.yml to pass this variable down from the job to the analyzer
Documentation
-
Add this new option to https://docs.gitlab.com/ee/user/application_security/dependency_scanning/index.html#available-variables. It might be worth splitting analyzer specific VARS as we've done for SAST: https://docs.gitlab.com/ee/user/application_security/sast/index.html#analyzer-settings
Testing
This can be tested against our python-pip
test projects (there might be others too).
What does success look like, and how can we measure that?
A repo that installs requests=~2.0.0
as specified in any.txt
should have a security issue reported by gitlab.
Links / references
Product
Edited by Igor Frenkel