Skip to main content
To correctly scan all dependencies in a project, Semgrep Supply Chain requires a Python lockfile: a file with specific versions of all dependencies. This article describes methods to generate the following supported Python lockfiles:
  • requirements.txt
  • Pipfile.lock
  • Poetry.lock
You can use any of these files to get a successful Semgrep Supply Chain scan. Since Semgrep 1.93.0, a requirements.txt file can be placed in a **/requirements/ folder, or can have any name that matches *requirement*.txt or *requirement*.pip.

Generating requirements.txt

Using requirements.in

PREREQUISITES
  • A requirements.in file with direct Python packages. Do not include transitive packages in requirements.in.
  • pip-tools must be installed on your machine. See the pip-tools GitHub repository for installation instructions.
To generate a requirements.txt file from requirements.in, enter the following command in the root of your project directory:
Now, you have successfully generated a requirements.txt file with direct and transitive dependencies that Semgrep Supply Chain can scan.

Example of requirements.txt generated from requirements.in

Given the following example project Binder examples, the requirements.in file contains the following direct dependencies:
Executing the command pip-compile -o requirements.txt, generates the following requirements.txt:
This file has all direct and transitive dependencies of the example project and can be used by Semgrep as an entry point for the Supply Chain scan.

Using pip freeze

PREREQUISITES
  • The pip freeze utility uses dependencies from packages already installed in your current environment to generate requirements.txt. You must be in an isolated or virtual environment.
  • An existing setup.py file.
To generate requirements.txt through pip freeze, enter the following commands:

Example CI configuration

The following GitHub Actions workflow provides an example on how to generate requirements.txt in a CI environment based on the preceding methods. In the following example there are two jobs:
  • my_first_job: Generating requirements.txt and uploading it as an artifact
  • my_second_job: Downloading the artifact and scanning it with Semgrep

Generating Pipfile.lock

PREREQUISITEAn existing Pipfile. Depending on your development environment, a Pipfile may already be automatically generated for you.

Example of Pipfile

Generating a Pipfile.lock

Generate a Pipfile.lock with the following commands:
The newly generated Pipfile.lock is a JSON file with all Python dependencies (direct and transitive) and their sha256 code. The beginning of the file may look something like this:

Generating Poetry.lock

Poetry is a tool for dependency management and packaging in Python.
PREREQUISITEA pyproject.toml file.

Example pyproject.toml

Generating a Poetry.lock

Generate a Poetry.lock file with the following command:
The generated Poetry.lock file contains all transitive and direct dependencies that the project uses.

Selecting a single file among many

While there may already be a lockfile in the repository, such as a Pipfile.lock, you may want to generate a new one, for example a requirements.txt, to be sure it has the latest dependencies. When scanning with Semgrep Supply Chain, you can use the flag --include to specify that only a single lockfile should be scanned. The manifest file must still have one of the supported names.
However, if you have multiple requirements.txt files that are in supported locations, you do not need to generate a new unified lockfile. Semgrep will scan files from all supported locations.

Conclusions

There are several ways to generate lockfiles for Python dependencies. Depending on your preferences, you can select one or another. Keep in mind that the file should be generated before the Semgrep scan and within the proper environment. This ensures that you are scanning only the dependencies of your project and not all the Python dependencies of your system.