> poetry vet
...
👍 pexpect-4.9.0 matches exemption
👍 pkginfo-1.10.0 matches exemption
✅ platformdirs-4.2.0 passes our audit
✅ pluggy-1.4.0 passes our audit
✅ poetry-1.8.2 passes audit by TrustedOrg
✅ pyright-1.1.356 passes audit by OtherTrustedOrg
...
Background
After details of the xz backdoor came out, I thought we needed better visibility into our dependency trees.
This first iteration of vet is an MVP.
Should vet accrue interest, next steps are:
- Support for auditing version deltas
- CLI tools for auditing and importing audits (instead of manual editing)
- More robust testing
If you're interested in vet, or more generally in securing software supply chains, reach out on Discord.
Installation
Depending on how you installed poetry, you may need to install vet in a different way.
If you used the self-installer:
If you used pipx:
If you used pip:
For more information and troubleshooting, see the poetry plugin installation docs.
Usage
Initialization
Initialize vet in your project:
This will create a chain-of-trust directory in your project.
See the generated README for more information on how to configure vet.
Running checks
To audit your project dependencies, run:
Dependencies are trusted to be either safe to run or safe to deploy.
Upon initialization, all dependencies in the poetry.lock file are exempt, deemed safe to run.
To vet dependencies as safe to deploy, run:
poetry vet --safe-to-deploy
For an example of how to run vet in GitHub CI, see the ci.yml file in this repository.
Importing Audits
Modify the config.toml file as per the example in the generated README.
Then run:
This will download the audits from the trusted sources specified in the config.toml file and store them in the import.lock file.
Auditing
Audit dependencies manually by adding entries in the audits.toml file as per the example in the generated README.