Integration of PDM with PIP-Audit for enhanced default project security.

[galenseilis]

Hey everyone! 👋

I'm currently using pdm as my Python package and dependency manager, and I'm looking for a way to seamlessly integrate security checks into my workflow. Specifically, I'd like to ensure that any packages I add or update do not have known vulnerabilities listed in the Python Packaging Authority's Security Advisory Database.

I've been exploring pip-audit, which seems like a great tool for auditing Python dependencies for security advisories, but I haven't decided on a way to automate this process directly within pdm. There is a pre-commit hook for pip-audit, but I think it doesn't recognize toml files (which are what I am mostly using now). I am aware of pdm's capability to generate a requirements file, but I am currently unaware of if/how that could be composed together.

Ideally, I'd like to:

Run pip-audit automatically whenever I add a new dependency with pdm add <package> or when I update dependencies.
Prevent any packages with vulnerabilities from being added to the project unless explicitly allowed.
Optionally, integrate this into my CI pipeline to ensure that no vulnerable dependencies make it into production.

My current thinking is to do one of the following:

• Write some number of hooks to block adding or installing.
• Write CLI plugins with "s" for "secure", like sadd being a portmanteau of "secure add".

Has anyone here successfully integrated pip-audit with pdm? If so, I'd love to hear about your setup or any hooks you've implemented. Additionally, are there better approaches or tools for achieving this level of security in a pdm-managed project?

Any code examples, scripts, or tips would be greatly appreciated! 🚀

Thanks in advance! 🙏

[galenseilis]

Just found pdm_audit. I'm not sure how ready it is yet for use, but it looks promising!