Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add details for running against pipenv projects #364

Merged
merged 4 commits into from
Sep 8, 2022
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ with support from Google. This is not an official Google or Trail of Bits produc
* [Dry runs](#dry-runs)
* [Examples](#examples)
* [Troubleshooting](#troubleshooting)
* [Tips and Tricks](#tips-and-tricks)
* [Security model](#security-model)
* [Licensing](#licensing)
* [Contributing](#contributing)
Expand Down Expand Up @@ -379,6 +380,27 @@ $ pip-audit --no-deps -r requirements.txt
$ pip-audit --require-hashes -r requirements.txt
```

## Tips and Tricks

### Running against a `pipenv` project

`pipenv` uses both a `Pipfile` and `Pipfile.lock` file to track and freeze dependencies
instead of a `requirements.txt` file. `pip-audit` cannot process the `Pipfile[.lock]`
files directly, however, these can be converted to a supported `requirements.txt` file
that `pip-audit` can run against. Use a Python tool, such as
[`pipfile-requirements`](https://github.com/frostming/pipfile-requirements), to
convert your `Pipfile[.lock]` to a `requirements.txt` file and then run
`pip-audit` against the generated requirements file.

```console
$ pipenv install --dev pipfile-requirements
$ pipenv run pipfile2req Pipfile.lock > requirements.txt
$ pipenv run pip-audit -r requirements.txt
```

The `requirements.txt` file needs to be kept up to date with `pipenv` when running
`pip-audit` locally like this.

## Security Model

This section exists to describe the security assumptions you **can** and **must not**
Expand Down