New Features
  1. Docs Library | Snyk
  2. Snyk Open Source
  3. Language & package manager support

Articles in this section

Snyk for Python

Snyk offers security scanning to test your projects for vulnerabilities, both through your CLI and through different integrations from our UI.

The following describes how to use Snyk to scan your Python projects: 

Features

Note

Features might not be available, depending on your subscription plan.

 

Package managers/Features

CLI support

Git support

License scanning

Remediation

Runtime monitoring
i_icon_pip.jpeg

Pip and PyPI

✔︎

✔︎

✔︎

✔︎

  
i_icon_pipenv.jpeg

pipenv

✔︎

 

✔︎

 

  
i_icon_pip.jpeg

setup.py

✔︎

 

✔︎

✔︎

  
poetry-logo-origami.svg

Poetry

✔︎

 

✔︎

✔︎

  

Note

PyPI licenses are supported for all Python projects.

How it works

Once we’ve built the tree, we can use our vulnerability database to find vulnerabilities in any of the packages anywhere in the dependency tree.

Note

In order to scan your dependencies, you must ensure you have first installed the relevant package manager, and that your project contains the supported manifest files.

The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project, as well as the location of your project.

Snyk CLI tool for Python projects

The way by which Snyk analyzes and builds the tree varies depending on the language and package manager of the project.

Pip

In order to build the dependency tree Snyk analyzes the first requirements.txt file that it finds. We also scan for installed packages to ensure we don’t miss any packages, even when not explicitly specified in your manifest file.

Pipenv

In order to build the dependency tree Snyk analyzes the Pipfile file.

setup.py

In order to build the dependency tree Snyk analyzes the setup.py file, and detects packages listed in the install_requires key.

There is no auto-discovery for this file, it must be specified manually:

snyk test --file=setup.py

You can convert setup.py to requirements.txt by installing the packages into a virtual environment then running pip freeze.

Poetry

To find issues in a Python Poetry application Snyk uses pyproject.toml and poetry.lock files. Note both these files must be present for Snyk to identify Poetry dependencies and test for issues.

Additional support details
https://github.com/snyk/snyk-python-plugin/blob/master/lib/types.ts
CLI parameters for Python
Prerequisites

  • Ensure you've installed the relevant package manager before you begin using the Snyk CLI tool.

  • Ensure you've included the relevant manifest files supported by Snyk before testing.

  • Install and authenticate the Snyk CLI to start analyzing projects from your local environment. Read more about our CLI in Getting started with the CLI as well.

Parameters

When scanning your Python project for vulnerabilities, use these options to modify commands:

Option

Description

--command=<string>

Snyk uses Python in order to scan and find your dependencies. Snyk needs the Python version to start scanning, and defaults to "python"

If you are using multiple Python versions, use this parameter to specify the correct Python command for execution.

For example: snyk test --command=python3

--skip-unresolved=<true|false> 

Skip packages when they can’t be found in the environment (for example, private packages that can’t be accessed from the machine running the scan).

--file=<file_name>

Specify a specific file to test. By default, Snyk scans the requirements.txt file on the top level of the project. 

If explicitly specified with this parameter, Snyk can recognize any manifest files named *req*.txt, where: Each (*) is a wildcard and req can appear anywhere in the file name.

For example, Snyk recognizes your manifest file when you have renamed it to requirements-dev.txt.

--package-manager=pip

This parameter is mandatory if you specify a value for the --file parameter that is not to a requirements.txt file. The test fails without this parameter.Specify this parameter with the value pip. 

Git services for Python projects

Python projects can be imported from any of the Git repositories we support. 

In order to test your Python projects using pip as a package manager, we analyze your requirements.txt file, and so you must have this file in your repository before importing.

If you’ve renamed your requirements.txt files (for example, if you have renamed a file to requirements-dev.txt), we try to import every file that follows the *req*.txt convention as a Python project.

If you are using a package manager that creates different manifest file formats other than requirements.txt, then either convert or import (depending on the package manager/supported files) the manifest file to the requirements.txt format.

For example:

dephell deps convert --from=conda --to=requirements.txt

We recommend you create different organizations to work with different Python versions. However, if you prefer to use one organization, add a .snyk file to your repository and specify the desired Python language version.

For example:

language-settings: python: '3.6.2'

Note

Currently, projects built with Pipenv cannot be imported to our UI manually.

Git settings for Python

From the Snyk UI you can configure the pip version you’re using to manage your Python project.

Available settings for Python are: 

  • Python 2 (default)

  • Python 3

To update language preferences: 

  1. Log in to your account and navigate to the relevant group and organization that you want to manage.
    AddProjectMenu.gif

  2. Go to Settings > Languages .

  3. Click Edit settings for Python to choose the pip version for your projects in this organization.