Bernát GáborMar 12
Wrote down everything I wish I knew earlier about Python supply chain security. Hash pinning, pip-audit, SBOMs, trusted publishing — the whole thing. Enjoy 🐍🔒https://bernat.tech/posts/securing-python-supply-chain/
Defense in Depth: A Practical Guide to Python Supply Chain Security

A comprehensive guide to securing your Python dependencies from ingestion to deployment, covering linting, pinning, vulnerability scanning, SBOMs, and attestations

Bernát Gábor - Engineering & Open Source
Show threadNed BatchelderMar 14
@gaborbernat I really appreciate you doing this!
But?:
pip-audit: error: unrecognized arguments: --requirements
Show threadBernát Gábor
@nedbat let me check
Mar 14 at 7:00pmWeb
Show threadBernát GáborMar 16
@nedbat thanks for catching this, fixed it now (was an extra s there somehow) https://github.com/gaborbernat/bernat-tech/commit/4d1f94f1a5d10f9412574169a1ba4489438f2c4a
📝 docs(blog): fix pip-audit flag, add pylock.toml and pip v26 · gaborbernat/bernat-tech@4d1f94f

Fix --requirements (invalid) to --requirement across all pip-audit examples. Add pip v26 --uploaded-prior-to alongside uv --exclude-newer for time-based filtering. Add PEP 751 pylock.toml as the st...

GitHub