docs/guide/coverage/language/python.md
Trivy supports the following Python package managers: pip, Pipenv, Poetry and uv.
Trivy also supports the pylock.toml lock file format defined by PEP 751.
The following scanners are supported for package managers.
| Package manager | SBOM | Vulnerability | License |
|---|---|---|---|
| pip | ✓ | ✓ | ✓ |
| Pipenv | ✓ | ✓ | - |
| Poetry | ✓ | ✓ | - |
| uv | ✓ | ✓ | - |
| pylock | ✓ | ✓ | - |
In addition, Trivy supports these formats of Python packages: egg, wheel and conda.
The following scanners are supported for Python packages.
| Packaging | SBOM | Vulnerability | License |
|---|---|---|---|
| Egg | ✓ | ✓ | ✓ |
| Wheel | ✓ | ✓ | ✓ |
| Conda | ✓ | - | - |
The following table provides an outline of the features Trivy offers.
| Package manager | File | Transitive dependencies | Dev dependencies | Dependency graph | Position | Detection Priority |
|---|---|---|---|---|---|---|
| pip | requirements.txt | - | Include | - | ✓ | ✓ |
| Pipenv | Pipfile.lock | ✓ | Include | - | ✓ | Not needed |
| Poetry | poetry.lock | ✓ | Exclude | ✓ | - | Not needed |
| uv | uv.lock | ✓ | Exclude | ✓ | - | Not needed |
| pylock | pylock.toml1 | ✓ | Exclude | ✓ | - | Not needed |
| Packaging | Dependency graph |
|---|---|
| Egg | ✓ |
| Wheel | ✓ |
These may be enabled or disabled depending on the target. See here for the detail.
Trivy parses your files generated by package managers in filesystem/repository scanning.
By default, Trivy only parses version specifiers with == comparison operator and without .*.
Using the --detection-priority comprehensive option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging.
In such case Trivy parses specifiers >=,~= and a trailing .*.
keyring >= 4.1.1 # Minimum version 4.1.1
Mopidy-Dirble ~= 1.1 # Minimum version 1.1
python-gitlab==2.0.* # Minimum version 2.0.0
Also, there is a way to convert unsupported version specifiers - use either the pip-compile tool (which doesn't install the packages)
or call pip freeze from the virtual environment where the requirements are already installed.
$ cat requirements.txt
boto3~=1.24.60
click>=8.0
json-fix==0.5.*
$ pip install -r requirements.txt
...
$ pip freeze > requirements.txt
$ cat requirements.txt
boto3==1.24.96
botocore==1.27.96
click==8.1.7
jmespath==1.0.1
json-fix==0.5.2
python-dateutil==2.8.2
s3transfer==0.6.2
setuptools==69.0.2
six==1.16.0
urllib3==1.26.18
wheel==0.42.0
requirements.txt files usually contain only the direct dependencies and not contain the transitive dependencies.
Therefore, Trivy scans only for the direct dependencies with requirements.txt.
To detect transitive dependencies as well, you need to generate requirements.txt that contains them.
Like described above, tou can do it with pip freeze or pip-compile.
$ cat requirements.txt # it will only find `[email protected]`.
requests==2.28.2
$ pip install -r requirements.txt
...
$ pip freeze > requirements.txt
$ cat requirements.txt # it will also find the transitive dependencies of `[email protected]`.
certifi==2022.12.7
charset-normalizer==3.1.0
idna==3.4
PyJWT==2.1.0
requests==2.28.2
urllib3==1.26.15
pip freeze also helps to resolve extras(optional) dependencies (like package[extras]=0.0.0).
requirements.txt files don't contain information about dependencies used for development.
Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
requirements.txt files don't contain information about licenses.
Therefore, Trivy checks METADATA files from lib/site-packages directory.
Trivy uses 3 ways to detect site-packages directory:
VIRTUAL_ENV environment variable.python2 binary and checks ../lib/pythonX.Y/site-packages directory.python2 binary and checks ../../lib/site-packages directory.Trivy parses Pipfile.lock.
Pipfile.lock files don't contain information about dependencies used for development.
Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
License detection is not supported for Pipenv.
Trivy uses poetry.lock to identify dependencies and find vulnerabilities.
To build the correct dependency graph, pyproject.toml also needs to be present next to poetry.lock.
License detection is not supported for Poetry.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Trivy uses uv.lock to identify dependencies and find vulnerabilities.
License detection is not supported for uv.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Trivy uses pylock.toml1 to identify dependencies and find vulnerabilities.
To identify direct dependencies and mark dev dependencies, pyproject.toml needs to be present next to pylock.toml.
License detection is not supported for pylock.
By default, Trivy doesn't report development dependencies. Use the --include-dev-deps flag to include them.
Trivy parses the manifest files of installed packages in container image scanning and so on. See here for the detail.
Trivy looks for *.egg-info, *.egg-info/METADATA, *.egg-info/PKG-INFO, *.egg and EGG-INFO/PKG-INFO to identify Python packages.
Trivy looks for .dist-info/METADATA to identify Python packages.