pip (python ecosystem)
Bomly uses this chain when it finds pip evidence.
| Property | Value |
|---|---|
| Package manager | pip |
| Ecosystem | python |
| Detector chain | pip-detector, syft-detector |
| Evidence patterns | requirements.txt, requirements-dev.txt, requirements.in, requirements.lock, *requirements*.txt |
| Install-first support | Yes |
| Native command hints | pip, syft for bomly-lite |
How pip resolves
pip-detector does not parse requirements.txt directly. Instead it asks the active Python environment what is currently installed:
| Step | Command | Working dir |
|---|---|---|
| Resolve graph | python -m pip inspect | the project root |
pip inspect returns a JSON document describing every package installed in the Python environment Bomly invokes, along with its declared dependencies. Bomly builds the graph from that.
Network behavior
✅ The default pip-detector is fully offline-safe. pip inspect reads from the local Python environment and makes no network calls.
⚠️ It only sees what is installed. If you have not run pip install -r requirements.txt (or equivalent) in the current environment, the inspection returns an empty graph and the scan will produce no packages for the project.
Prerequisites
pythononPATHwithpipinstalled (python -m pip --versionmust work).- The project's dependencies must already be installed in the active Python environment. The detector inspects whatever virtualenv / system Python is reachable.
- A
requirements.txt,requirements-dev.txt,requirements.in,requirements.lock, or any*requirements*.txtfile in the scan path acts as the evidence pattern that triggerspip-detector.
--install-first
pip supports --install-first. When passed, Bomly runs python -m pip install -r <requirements-file> before the inspection. It will additionally install requirements-dev.txt if that file is present alongside the primary requirements file.
⚠️ --install-first downloads packages from PyPI and writes to the active Python environment. Use it in CI on a clean checkout where dependencies have not been installed yet.
bomly scan --install-first
The requirements file Bomly installs is chosen automatically from common names. If you have a non-standard layout, use a virtualenv that already has the dependencies installed and skip --install-first.
Customizing the install command
Append flags to python -m pip install -r <requirements> with repeatable --install-arg. Requires --detectors pip-detector.
# Install from a private index in CI
bomly scan --install-first --detectors pip-detector \
--install-arg --index-url --install-arg https://pypi.example.com/simple
# Honor hash-checking mode declared in requirements.txt
bomly scan --install-first --detectors pip-detector \
--install-arg --require-hashes
Examples
Fix a direct vulnerability
Pin in requirements.txt:
requests==2.32.4
pip install -r requirements.txt then re-scan.
Pin a transitive vulnerability
With pip-tools, add a constraint:
# constraints.txt
urllib3>=2.2.2
pip-compile --constraint constraints.txt requirements.in
pip install -r requirements.txt
Re-scan.
Reachability (experimental)
Experimental. Reachability is opt-in via
--analyze. The feature is stable in shape but may evolve; ecosystem coverage is expanding.
For pip-managed packages, the analyzer is pyreach at Tier-3 (package). It walks every .py file under the project root, records imports, and maps module names to PyPI distribution names. See REACHABILITY.md and the module-to-distribution map in internal/analyzers/pyreach/moduletodist.go.
Limitations
- No environment, no graph. Unlike a lockfile parser,
pip-detectorneeds the dependencies to already be installed. Use--install-firstto install in CI, or pre-install in your virtualenv before scanning. - Multiple Python environments require pointing Bomly at the right
python. The detector uses the firstpythononPATH; activate the virtualenv before running Bomly, or passPYTHON_BINif you set up that env var in your environment. - Editable installs (
pip install -e ./local-pkg) are reflected in the inspection; their internal dependencies come from the local package's metadata.