awesome-devops VS pip-audit

I would start with awesome devops and drill down there to which tools and projects are open source and in go. I know that Terraform is in go, Docker itself is in go, some projects that I use like Telegraf are in go too, but a comprehensive list of all tools that can be used by devops, that are open source and in go may be huge. Is better to get a very partial list and pick from there the ones you find more interesting, both in mission and in code.

github.com/wmariuss/awesome-devops

Not necessarily, it just depends on how invested you are in the CI/CD pipeline for any given project, your preferences regarding self-hosting vs. cloud, and the amount of time you have to dedicate to the subject.

Strictly speaking, any tool or set of tools that allow you to trigger building & deploying/publishing artifacts in response to source control commits can be used to build a CI/CD pipeline. One could write bash scripts linked to a cron job that pulls a remote repository every n minutes and then performs some scripted actions to integrate changes between branches before building & publishing the artifact to a local SFTP server.

If you prefer a more mature solution with better documentation however, there is a (non-exhaustive) list of CI/CD tools on this awesome-devops list:

https://github.com/wmariuss/awesome-devops#continuous-integr...

Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.

Here is my "one true" Makefile for Python projects[1]. The skeleton gets tweaked slightly each time, but it's served me well for 4+ years.

[1]: https://github.com/pypa/pip-audit/blob/main/Makefile

Why use this over the established https://pypi.org/project/pip-audit/ ?

https://pypi.org/project/pip-audit/ details usage and the GitHub Action install.

If it's pure Python, the only packaging file you need is `pyproject.toml`. You can fill that file with packaging metadata per PEP 518 and PEP 621, including using modern build tooling like flit[1] for the build backend and build[2] for the frontend.

With that, you entire package build (for all distribution types) should be reducible to `python -m build`. Here's an example of a full project doing everything with just `pyproject.toml`[3] (FD: my project).

[1]: https://github.com/pypa/flit

[2]: https://github.com/pypa/build

[3]: https://github.com/pypa/pip-audit

- repo: https://github.com/trailofbits/pip-audit rev: v2.4.3 hooks: - id: pip-audit args: [ "-r", "requirements.txt" ] ci: # Leave pip-audit to only run locally and not in CI # pre-commit.ci does not allow network calls skip: [ pip-audit ]

This is really nicely written; kudos to the author for compiling a great deal of information in a readable format.

If I can be forgiven one nitpick: Poetry does not use a PEP 518-style[1] build configuration by default, which means that its use of `pyproject.toml` is slightly out of pace with the rest of the Python packaging ecosystem. That isn't to say that it isn't excellent, because it is! But you the standards have come a long way, and you can now use `pyproject.toml` with any build backend as long as you use the standard metadata.

By way of example, here's a project that's completely PEP 517 and PEP 518 compatible without needing a setup.py or setup.cfg[2]. Everything goes through pyproject.toml.

[1]: https://peps.python.org/pep-0518/

[2]: https://github.com/trailofbits/pip-audit/blob/main/pyproject...

Checking could be done if something like this eventually shows up in safety or pip-audit.

Something like python's pip-audit. For commercial solutions I know there's Snyk and Jfrog we can always purchase, but I'm interested to see if there's an open-source tool that can do this.