From c5829372a5f8dc1d13b168aed2730aa7031a36ca Mon Sep 17 00:00:00 2001 From: Adam Meily Date: Thu, 8 Sep 2022 13:08:27 -0400 Subject: [PATCH] Add details for running against pipenv projects (#364) * add faq entry for pipenv support * address PR feedback * Apply suggestions from code review Co-authored-by: Dustin Ingram * Update README.md Co-authored-by: William Woodruff Co-authored-by: Dustin Ingram Co-authored-by: William Woodruff --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index b86898f7..17608707 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,7 @@ with support from Google. This is not an official Google or Trail of Bits produc * [Dry runs](#dry-runs) * [Examples](#examples) * [Troubleshooting](#troubleshooting) +* [Tips and Tricks](#tips-and-tricks) * [Security model](#security-model) * [Licensing](#licensing) * [Contributing](#contributing) @@ -379,6 +380,27 @@ $ pip-audit --no-deps -r requirements.txt $ pip-audit --require-hashes -r requirements.txt ``` +## Tips and Tricks + +### Running against a `pipenv` project + +`pipenv` uses both a `Pipfile` and `Pipfile.lock` file to track and freeze dependencies +instead of a `requirements.txt` file. `pip-audit` cannot process the `Pipfile[.lock]` +files directly, however, these can be converted to a supported `requirements.txt` file +that `pip-audit` can run against. Use a Python tool, such as +[`pipfile-requirements`](https://github.com/frostming/pipfile-requirements), to +convert your `Pipfile[.lock]` to a `requirements.txt` file and then run +`pip-audit` against the generated requirements file. + +```console +$ pipenv install --dev pipfile-requirements +$ pipenv run pipfile2req Pipfile.lock > requirements.txt +$ pipenv run pip-audit -r requirements.txt +``` + +The `requirements.txt` file needs to be kept up to date with `pipenv` when running +`pip-audit` locally like this. + ## Security Model This section exists to describe the security assumptions you **can** and **must not**