-
|
If I want to continuously/automatically scan Python packages in my devpi server for malware/vulnerabilities, is there a way to automatically/continuously do so? Is there a way to leverage pip-audit or GitHub's dependabot or cross-check against vulnerability databases? Thank you for your advice! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
Out of the box there is no support for that. I haven't looked into any vulnerability database APIs, but it should be fairly straight forward to create a plugin that does that. I can give some pointers if you want to implement it yourself. Since this is most likely an enterprise feature for compliance, you can contact me via mail@pyfidelity.com for details to hire me to implement it if you can't do it yourself. |
Beta Was this translation helpful? Give feedback.
-
|
@fschulze thank you. If I may, I would like to simplify my question, to just ask about the expected behaviour of devpi. I created an index named "dev" and base using pypi: However, when i execute the following, i am able to install any package. Is this the expected behaviour? How can I create an index that allows install of 8000 only whitelisted packages AND pull packages from PyPI if it is not yet in the devpi server? Thank you so much! |
Beta Was this translation helpful? Give feedback.
-
|
The Take a look at |
Beta Was this translation helpful? Give feedback.
-
|
@fschulze yes it works. Thank you. A bit counter-intuitive that the constraints file needs to end with * so that it blocks everything else. But yes it works, meets my needs, danke sehr! |
Beta Was this translation helpful? Give feedback.
The
mirror_whitelistsetting has a different use, see https://devpi.net/docs/devpi/devpi/stable/+d/userman/devpi_indices.html#modifying-the-mirror-whitelistTake a look at
devpi-constrainedand see if it suits your needs. Be aware of this issue though: devpi/devpi-constrained#7