Skip to content

Commit

Permalink
Add details for running against pipenv projects (#364)
Browse files Browse the repository at this point in the history
* add faq entry for pipenv support

* address PR feedback

* Apply suggestions from code review

Co-authored-by: Dustin Ingram <[email protected]>

* Update README.md

Co-authored-by: William Woodruff <[email protected]>

Co-authored-by: Dustin Ingram <[email protected]>
Co-authored-by: William Woodruff <[email protected]>
  • Loading branch information
3 people authored Sep 8, 2022
1 parent 678730e commit c582937
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ with support from Google. This is not an official Google or Trail of Bits produc
* [Dry runs](#dry-runs)
* [Examples](#examples)
* [Troubleshooting](#troubleshooting)
* [Tips and Tricks](#tips-and-tricks)
* [Security model](#security-model)
* [Licensing](#licensing)
* [Contributing](#contributing)
Expand Down Expand Up @@ -379,6 +380,27 @@ $ pip-audit --no-deps -r requirements.txt
$ pip-audit --require-hashes -r requirements.txt
```

## Tips and Tricks

### Running against a `pipenv` project

`pipenv` uses both a `Pipfile` and `Pipfile.lock` file to track and freeze dependencies
instead of a `requirements.txt` file. `pip-audit` cannot process the `Pipfile[.lock]`
files directly, however, these can be converted to a supported `requirements.txt` file
that `pip-audit` can run against. Use a Python tool, such as
[`pipfile-requirements`](https://github.com/frostming/pipfile-requirements), to
convert your `Pipfile[.lock]` to a `requirements.txt` file and then run
`pip-audit` against the generated requirements file.

```console
$ pipenv install --dev pipfile-requirements
$ pipenv run pipfile2req Pipfile.lock > requirements.txt
$ pipenv run pip-audit -r requirements.txt
```

The `requirements.txt` file needs to be kept up to date with `pipenv` when running
`pip-audit` locally like this.

## Security Model

This section exists to describe the security assumptions you **can** and **must not**
Expand Down

0 comments on commit c582937

Please sign in to comment.