Equivalent to pip-audit?

[asmith26]

Problem description

Hi,

Just wondering if there any tools for pixi that work like pip-audit, or if there are plans to integrate such a tool directly into pixi?

For reference (from https://pypi.org/project/pip-audit/):

pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database (https://github.com/pypa/advisory-database) via the PyPI JSON API as a source of vulnerability reports.

Thanks!

[ruben-arts]

Hey @asmith26, we sure are discussing this. It would be best for integration purposes if someone (most likely a company) comes to help us with this in the form of an integration partner, as these features are hard to build without proper third-party testing and validation.

If this is something you could help with please let us know!

That said, with conda-forge/pixi we do have the ability to do this very well as we know where and how things are build (conda-forge) and the lock-file describes the packages extremely detailed. So this is not an unsolvable problem. An SBOM is just an extra step in the generation process.