2023-02-27 20:48:55 +02:00
# Python
Trivy supports three types of Python package managers: `pip` , `Pipenv` and `Poetry` .
2023-08-17 11:00:34 +03:00
The following scanners are supported for package managers.
2024-05-30 14:29:29 +06:00
| Package manager | SBOM | Vulnerability | License |
|-----------------|:----:|:-------------:|:-------:|
| pip | ✓ | ✓ | ✓ |
| Pipenv | ✓ | ✓ | - |
| Poetry | ✓ | ✓ | - |
2024-12-19 11:59:30 +06:00
| uv | ✓ | ✓ | - |
2023-08-17 11:00:34 +03:00
In addition, Trivy supports three formats of Python packages: `egg` , `wheel` and `conda` .
The following scanners are supported for Python packages.
2024-05-30 14:29:29 +06:00
| Packaging | SBOM | Vulnerability | License |
|-----------|:----:|:-------------:|:-------:|
| Egg | ✓ | ✓ | ✓ |
| Wheel | ✓ | ✓ | ✓ |
| Conda | ✓ | - | - |
2023-08-17 11:00:34 +03:00
2023-02-27 20:48:55 +02:00
The following table provides an outline of the features Trivy offers.
2024-08-02 14:41:56 +04:00
| Package manager | File | Transitive dependencies | Dev dependencies | [Dependency graph][dependency-graph] | Position | [Detection Priority][detection-priority] |
|-----------------|------------------|:-----------------------:|:----------------:|:------------------------------------:|:--------:|:----------------------------------------:|
2024-08-24 09:23:29 +06:00
| pip | requirements.txt | - | Include | - | ✓ | ✓ |
2024-08-02 14:41:56 +04:00
| Pipenv | Pipfile.lock | ✓ | Include | - | ✓ | Not needed |
2024-12-24 18:12:39 +06:00
| Poetry | poetry.lock | ✓ | [Exclude ](#poetry ) | ✓ | - | Not needed |
2024-12-24 19:43:28 +06:00
| uv | uv.lock | ✓ | [Exclude ](#uv ) | ✓ | - | Not needed | |
2023-02-27 20:48:55 +02:00
2023-08-17 11:00:34 +03:00
| Packaging | Dependency graph |
| --------- | :--------------: |
| Egg | ✓ |
| Wheel | ✓ |
2023-02-27 20:48:55 +02:00
These may be enabled or disabled depending on the target.
2023-04-17 11:54:31 +03:00
See [here ](./index.md ) for the detail.
2023-02-27 20:48:55 +02:00
## Package managers
Trivy parses your files generated by package managers in filesystem/repository scanning.
### pip
2024-05-30 14:29:29 +06:00
#### Dependency detection
2024-08-24 09:23:29 +06:00
By default, Trivy only parses [version specifiers ](https://packaging.python.org/en/latest/specifications/version-specifiers/#id5 ) with `==` comparison operator and without `.*` .
2024-11-27 04:19:54 +09:00
Using the [--detection-priority comprehensive][detection-priority] option ensures that the tool establishes a minimum version, which is particularly useful in scenarios where identifying the exact version is challenging.
2024-08-24 09:23:29 +06:00
In such case Trivy parses specifiers `>=` ,`~=` and a trailing `.*` .
```
keyring >= 4.1.1 # Minimum version 4.1.1
Mopidy-Dirble ~= 1.1 # Minimum version 1.1
python-gitlab==2.0.* # Minimum version 2.0.0
```
2025-03-17 03:45:01 +01:00
Also, there is a way to convert unsupported version specifiers - use either the `pip-compile` tool (which doesn't install the packages)
or call `pip freeze` from the virtual environment where the requirements are already installed.
2023-12-13 15:39:00 +06:00
```bash
$ cat requirements.txt
boto3~=1.24.60
click>=8.0
json-fix==0.5.*
$ pip install -r requirements.txt
...
$ pip freeze > requirements.txt
$ cat requirements.txt
boto3==1.24.96
botocore==1.27.96
click==8.1.7
jmespath==1.0.1
json-fix==0.5.2
python-dateutil==2.8.2
s3transfer==0.6.2
setuptools==69.0.2
six==1.16.0
urllib3==1.26.18
wheel==0.42.0
```
2023-04-25 00:17:56 +06:00
`requirements.txt` files usually contain only the direct dependencies and not contain the transitive dependencies.
2023-02-27 20:48:55 +02:00
Therefore, Trivy scans only for the direct dependencies with `requirements.txt` .
2025-03-17 03:45:01 +01:00
To detect transitive dependencies as well, you need to generate `requirements.txt` that contains them.
Like described above, tou can do it with `pip freeze` or `pip-compile` .
2023-04-25 00:17:56 +06:00
```zsh
$ cat requirements.txt # it will only find `requests@2.28.2` .
requests==2.28.2
$ pip install -r requirements.txt
...
$ pip freeze > requirements.txt
$ cat requirements.txt # it will also find the transitive dependencies of `requests@2.28.2` .
certifi==2022.12.7
charset-normalizer==3.1.0
idna==3.4
PyJWT==2.1.0
requests==2.28.2
urllib3==1.26.15
```
`pip freeze` also helps to resolve [extras ](https://packaging.python.org/en/latest/tutorials/installing-packages/#installing-extras )(optional) dependencies (like `package[extras]=0.0.0` ).
`requirements.txt` files don't contain information about dependencies used for development.
2023-02-27 20:48:55 +02:00
Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
2024-05-30 14:29:29 +06:00
#### License detection
`requirements.txt` files don't contain information about licenses.
Therefore, Trivy checks `METADATA` files from `lib/site-packages` directory.
Trivy uses 3 ways to detect `site-packages` directory:
- Checks `VIRTUAL_ENV` environment variable.
- Detects path to `python` [^1] binary and checks `../lib/pythonX.Y/site-packages` directory.
- Detects path to `python` [^1] binary and checks `../../lib/site-packages` directory.
2023-02-27 20:48:55 +02:00
### Pipenv
Trivy parses `Pipfile.lock` .
`Pipfile.lock` files don't contain information about dependencies used for development.
Trivy could detect vulnerabilities on the development packages, which not affect your production environment.
License detection is not supported for `Pipenv` .
### Poetry
Trivy uses `poetry.lock` to identify dependencies and find vulnerabilities.
To build the correct dependency graph, `pyproject.toml` also needs to be present next to `poetry.lock` .
License detection is not supported for `Poetry` .
2024-12-24 18:12:39 +06:00
By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
2024-12-19 11:59:30 +06:00
### uv
Trivy uses `uv.lock` to identify dependencies and find vulnerabilities.
License detection is not supported for `uv` .
2024-12-24 19:43:28 +06:00
By default, Trivy doesn't report development dependencies. Use the `--include-dev-deps` flag to include them.
2023-02-27 20:48:55 +02:00
## Packaging
Trivy parses the manifest files of installed packages in container image scanning and so on.
2024-08-08 13:00:05 +07:00
See [here ](https://packaging.python.org/en/latest/discussions/package-formats/ ) for the detail.
2023-02-27 20:48:55 +02:00
### Egg
2025-07-11 16:47:47 +05:30
Trivy looks for `*.egg-info` , `*.egg-info/METADATA` , `*.egg-info/PKG-INFO` , `*.egg` and `EGG-INFO/PKG-INFO` to identify Python packages.
2023-02-27 20:48:55 +02:00
### Wheel
2025-06-30 13:55:35 +06:00
Trivy looks for `.dist-info/METADATA` to identify Python packages.
2023-08-17 11:00:34 +03:00
2024-05-30 14:29:29 +06:00
[^1]: Trivy checks `python` , `python3` , `python2` and `python.exe` file names.
2023-08-17 11:00:34 +03:00
[dependency-graph]: ../../configuration/reporting.md#show -origins-of-vulnerable-dependencies
2024-08-02 14:41:56 +04:00
[detection-priority]: ../../scanner/vulnerability.md#detection -priority
