Background
As part of my day job on Google’s open-source security team, I’ve been working for the past year with a team from Trail of Bits to author, implement and maintain https://pypi.org/p/pip-audit/, a standalone tool for scanning Python environments for packages with known vulnerabilities. This is the first such tool to integrate directly with PyPI for vulnerability data and be intended to be an entirely community-owned and operated project.
We’re at the point now where pip-audit
is more or less feature-complete & bug-free, and there’s a potential path towards elevating the pip-audit
project as a subcommand of pip
itself. I’ve outlined a rough roadmap for this path here. We (the pip-audit
maintainers) would like to welcome discussion on the roadmap as well as get buy-in from the wider community on the overall plan.
Our goal
Our ultimate goal is to make a) useful vulnerability tooling that is b) free to use, c) community owned and operated and and d) canonical and easily available to every Python user. We’ve already achieved a) and b) and to some extent c) (the project is open-source, and we plan to request a transfer to the PyPA org) but we think the most effective way to achieve d) is by making pip-audit
a subcommand of pip
itself, due to pip
’s wide user base.
Integration
Given that our goal has always been to become a subcommand of pip
, we’ve taken a lot of care to design pip-audit
in a way should make integration as easy as possible:
- We’ve designed
pip-audit
’s CLI in a way that is in line withpip
’s existing CLI and UX and with commands that should feel natural to the averagepip
user: commands for auditing environments or requirements files withpip-audit
should feel very similar to existing commands for installing withpip
- We’ve taken great care in taking on additional sub-dependencies that would unnecessarily increase
pip
’s footprint, and aligning withpip
’s existing sub-dependencies where possible - We’ve designed
pip-audit
itself in a way that should make it possible to mount it as a vendored subcommand ofpip
, rather than re-implementing it from scratch. This means that it should be a low maintenance burden on thepip
maintainers, as ongoing development & maintenance could continue to happen in thepip-audit
repository bypip-audit
maintainers (withpip
maintainers getting the final say in what makes it intopip
itself, of course).
Our ask
The point of this discussion is to share this potential plan early on with the community and get feedback, specifically on the following questions:
- Do you think support for known vulnerability auditing something that would be valuable to have in
pip
? - Does the feature set of
pip-audit
align with what you’d find valuable? - Is the proposed roadmap the best path forward?
Myself and @woodruffw are also happy to answer any questions that aren’t covered by the pip-audit
docs about how pip-audit
works or about the goals/plan here.
Thanks in advance!