- can be used within large projects. (see benchmarks)
- automatically finds dependencies either from configuration files or within source code.
- support for poetry,hatch,filt,pdm and can be integrated into existing build processes.
- hasn't been battle-hardened yet. PRs and issue makers welcome.
pip install pyscan-rs
look out for the "-rs" part or
cargo install pyscan
Go to your python source directory (or wherever you keep your requirements.txt
/pyproject.toml
) and run:
> pyscan
or
> pyscan -d path/to/src
Pyscan will find any dependencies added through poetry, hatch, filt, pdm, etc. Here's the order of precedence for a source/config file:
requirements.txt
pyproject.toml
- your source code (
.py
)
Pyscan will use your pip
to find unknown versions, otherwise pypi.org for the latest version. Still, it is recommended to version-ize your requirements and use proper pep-508 syntax.
pyscan requires a rust version of < v1.70
, and might be unstable on previous releases.
There's an overview of the codebase at architecture. Grateful for all the contributions so far.
pyscan doesn't make sure your code is safe from everything. Use all resources available to you like safety Dependabot, pip-audit
, trivy and the likes.
As of December 24, 2024:
- Gather time to work on it (incredible task as a
high schoolercollege freshman) - Persistent state representation of a project's security.
- Graphical analysis of dependencies and their dependencies, and so on.
- Better display, search, filter of vulns
- Finish the "big" update (All of the above is a part of PR #17)
While not coding, I am a broke high school college student with nothing else to do. I appreciate all the help I can get.