Skip to content

README: Documentation improvements #304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jun 21, 2022
Merged

README: Documentation improvements #304

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
021d00c
README: replace `jq` with `python -m json.tool`
woodruffw Jun 16, 2022
7a309c1
README: ToC, reorg, troubleshooting, tweak example
woodruffw Jun 16, 2022
ab66669
Merge remote-tracking branch 'origin/main' into ww/doc-improvements
woodruffw Jun 16, 2022
83946bf
README: format, add more detail on the GitHub Action
woodruffw Jun 16, 2022
decd1f0
Merge branch 'main' into ww/doc-improvements
woodruffw Jun 17, 2022
f972d01
README: mention hash-checking mode
woodruffw Jun 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 104 additions & 23 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,23 @@ of vulnerability reports.
This project is developed by [Trail of Bits](https://www.trailofbits.com/) with
support from Google. This is not an official Google product.

## Index

* [Features](#features)
* [Installation](#installation)
* [Third-party packages](#third-party-packages)
* [GitHub Actions](#github-actions)
* [`pre-commit` support](#pre-commit-support)
* [Usage](#usage)
* [Exit codes](#exit-codes)
* [Dry runs](#dry-runs)
* [Examples](#examples)
* [Troubleshooting](#troubleshooting)
* [Security model](#security-model)
* [Licensing](#licensing)
* [Contributing](#contributing)
* [Code of Conduct](#code-of-conduct)
Comment on lines +21 to +34
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just an FYI that these won't work when the README is displayed on PyPI: pypa/readme_renderer#169

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that was in the back of my mind...

IMO that's an acceptable tradeoff for now, since we also direct-link to the repo in a few places (like the GitHub Action).


## Features

* Support for auditing local environments and requirements-style files
Expand All @@ -25,6 +42,7 @@ support from Google. This is not an official Google product.
* Support for emitting
[SBOMs](https://en.wikipedia.org/wiki/Software_bill_of_materials) in
[CycloneDX](https://cyclonedx.org/) XML or JSON
* Support for automatically fixing vulnerable dependencies (`--fix`)
* Human and machine-readable output formats (columnar, JSON)
* Seamlessly reuses your existing local `pip` caches

Expand All @@ -36,9 +54,6 @@ support from Google. This is not an official Google product.
python -m pip install pip-audit
```

Alternatively, you can use `pip-audit` in your CI via the official
[`trailofbits/gh-action-pip-audit` GitHub Action](https://github.com/trailofbits/gh-action-pip-audit).

### Third-party packages

There are multiple **third-party** packages for `pip-audit`. The matrices and badges below
Expand All @@ -60,6 +75,48 @@ conda install -c conda-forge pip-audit
Third-party packages are **not** directly supported by this project. Please consult your package manager's
documentation for more detailed installation guidance.

### GitHub Actions

`pip-audit` has [an official GitHub Action](https://github.com/trailofbits/gh-action-pip-audit)!

You can install it from the
[GitHub Marketplace](https://github.com/marketplace/actions/gh-action-pip-audit), or
add it to your CI manually:

```yaml
jobs:
pip-audit:
steps:
- uses: trailofbits/[email protected]
with:
inputs: requirements.txt
```

See the
[action documentation](https://github.com/trailofbits/gh-action-pip-audit/blob/main/README.md)
for more details and usage examples.

### `pre-commit` support

`pip-audit` has [`pre-commit`](https://pre-commit.com/) support.

For example, using `pip-audit` via `pre-commit` to audit a requirements file:

```yaml
- repo: https://github.com/trailofbits/pip-audit
rev: v2.1.2
hooks:
- id: pip-audit
args: ["-r", "requirements.txt"]

ci:
# Leave pip-audit to only run locally and not in CI
# pre-commit.ci does not allow network calls
skip: [pip-audit]
```

Any `pip-audit` arguments documented below can be passed.

## Usage

You can run `pip-audit` as a standalone program, or via `python -m`:
Expand Down Expand Up @@ -221,7 +278,7 @@ Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Befo

Audit dependencies in JSON format:
```
$ pip-audit -f json | jq
$ pip-audit -f json | python -m json.tool
Found 2 known vulnerabilities in 1 package
[
{
Expand Down Expand Up @@ -282,6 +339,48 @@ flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 => 1.
flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 => 1.0)
```

## Troubleshooting

Have you resolved a problem with `pip-audit`? Help us by contributing to this
section!

### `pip-audit` takes longer than I expect!

Depending on how you're using it, `pip-audit` may have to perform its
own dependency resolution, which can take roughly as long as `pip install`
does for a project. See the [security model](#security-model) for an explanation.

You have two options for avoiding dependency resolution: *audit a pre-installed
environment*, or *ensure that your dependencies are already fully resolved*.

If you know that you've already fully configured an environment equivalent
to the one that `pip-audit -r requirements.txt` would audit, you can simply
reuse it:

```console
# Note the absence of any "input" arguments, indicating that the environment is used.
$ pip-audit

# Optionally filter out non-local packages, for virtual environments:
$ pip-audit --local
```

Alternatively, if your input is fully pinned (and optionally hashed), you
can tell `pip-audit` to skip dependency resolution with either `--no-deps`
(pinned without hashes) or `--require-hashes` (pinned including hashes).

The latter is equivalent to `pip`'s
[hash-checking mode](https://pip.pypa.io/en/stable/cli/pip_install/#hash-checking-mode)
and is preferred, since it offers additional integrity.

```console
# fails if any dependency is not fully pinned
$ pip-audit --no-deps -r requirements.txt

# fails if any dependency is not fully pinned *or* is missing hashes
$ pip-audit --require-hashes -r requirements.txt
```

## Security Model

This section exists to describe the security assumptions you **can** and **must not**
Expand Down Expand Up @@ -315,25 +414,6 @@ and purposes, `pip-audit -r INPUT` is functionally equivalent to
`pip install -r INPUT`, with a small amount of **non-security isolation** to
avoid conflicts with any of your local environments.

## pre-commit support

pip-audit has [pre-commit](https://pre-commit.com/) support. Please specify your
arguments in your pre-commit config. An example config using requirements file can be:

```yaml
- repo: https://github.com/trailofbits/pip-audit
rev: v2.1.2
hooks:
- id: pip-audit
args: ["-r", "requirements.txt"]

ci:
# Leave pip-audit to only run locally and not in CI
# pre-commit.ci does not allow network calls
skip: [pip-audit]
```
- Any valid CLI arguments documented above can be passed.

## Licensing

`pip-audit` is licensed under the Apache 2.0 License.
Expand All @@ -347,5 +427,6 @@ the ISC license.
See [the contributing docs](CONTRIBUTING.md) for details.

## Code of Conduct

Everyone interacting with this project is expected to follow the
[PSF Code of Conduct](https://github.com/pypa/.github/blob/main/CODE_OF_CONDUCT.md).