python/dependency-scanning
¶
Configures a dependency_scanning
job that uses that analyses the dependencies of the project for known vulnerabilities.
Description¶
This component builds on GitLab's upstream dependency scanning template to add support for projects that only provide pyproject.toml
and no other requirements or metadata files.
Usage¶
include:
- component: git.ligo.org/computing/gitlab/components/python/all@<VERSION>
Inputs¶
Input | Default value | Description |
---|---|---|
stage | "test" | Pipeline stage to add job to. |
before_script | [] | Extra commands to run before the scanner is executed |
Examples¶
Scan a Python application¶
Scan a Python application
include:
- component: git.ligo.org/computing/gitlab/components/python/dependency-scanning@<VERSION>
Install custom requirements before scanning¶
The Python dependency scanner works by installing a project's requirements using pip
. In order to achieve this, it may be required to install some system packages against which Python libraries can be linked dynamically at install time. This can be simplified by specifying the system installation commands as part of the before_script
input:
Specify custom before_script
include:
- component: git.ligo.org/computing/gitlab/components/python/dependency-scanning@<VERSION>
inputs:
before_script:
- apt-get -yqq update
- apt-get -yqq install libkrb5-dev
If using a meta-component that doesn't support specifying before_script as an input, you can specify the same commands directly by overwriting the
dependency_scanning` template:
Specify custom before_script
in the job template
include:
- component: git.ligo.org/computing/gitlab/components/python/all@<VERSION>
# overwrite before_script
dependency_scanning:
before_script:
- apt-get -yqq update
- apt-get -yqq install libkrb5-dev
The dependency scanner runs in a Debian-based image
The dependency scanning tool runs inside a container image based on Debian, so system packages should be installed using apt-get
.