What GitHub scans for Python dependencies
Here comes a key initial limitation of GitHub’s checks, which we believe can be greatly enhanced by trivial upgrades on GitHub’s part.
As of this writing, GitHub only looks to
Pipfile.lock for dependencies.
setup.py is partially supported by GitHub’s security scan, but is not yet reliable as of this writing.
The issue with that is, Python can use several other means to specify dependencies.
requirements.txtis not used on many popular Python packages.
Pipfile.lockgeneration currently requires separate installation of
setup.cfgis part of
setuptools, which essentially every Python user has from the factory.
setup.cfgcan nearly entirely replace
- we have asked GitHub to do the trivial parsing of