pipenv (python ecosystem)
Bomly uses this chain when it finds pipenv evidence.
| Property | Value |
|---|---|
| Package manager | pipenv |
| Ecosystem | python |
| Detector chain | pipenv-detector, syft-detector |
| Evidence patterns | Pipfile, Pipfile.lock |
| Install-first support | Yes |
| Native command hints | pipenv, syft for bomly-lite |
How pipenv resolves
pipenv-detector is hybrid: it prefers pipenv run pip inspect when a Pipenv virtualenv exists and falls back to parsing Pipfile.lock directly when the venv is missing.
| Path | Strategy | Command |
|---|---|---|
| Venv present | Build tool | pipenv run python -m pip inspect |
| No venv | Lockfile parser | Parse Pipfile.lock (no exec) |
Network behavior
✅ Both paths are offline-safe. pip inspect reads from the local virtualenv; the lockfile parser reads a committed file.
Prerequisites
- One of:
- A Pipenv-managed virtualenv (run
pipenv installonce and Bomly can inspect it), or - A committed
Pipfile.lock.
- A Pipenv-managed virtualenv (run
- For
--install-first:pipenvonPATH.
--install-first
pipenv supports --install-first. When passed, Bomly runs pipenv install before resolving the graph.
⚠️ --install-first downloads packages from PyPI and creates / updates the Pipenv-managed virtualenv. Use it on a clean checkout.
bomly scan --install-first
Customizing the install command
Append flags to pipenv install with repeatable --install-arg. Requires --detectors pipenv-detector.
# Include dev dependencies; fail fast on a lockfile drift
bomly scan --install-first --detectors pipenv-detector \
--install-arg --dev --install-arg --deploy
Reachability (experimental)
Experimental. Reachability is opt-in via
--analyze. The feature is stable in shape but may evolve; ecosystem coverage is expanding.
For Pipenv-managed packages, the analyzer is pyreach at Tier-3 (package). See REACHABILITY.md.
Limitations
- Pipenv 2024+ lock format is preferred; older formats parse but with reduced detail.
[dev-packages]is recorded withdevelopmentscope.