Metadata-Version: 2.1
Name: vet
Version: 0.1.1
Summary: 
Author: Rafael Irgolic
Author-email: hello@irgolic.com
Requires-Python: >=3.12,<4.0
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.12
Requires-Dist: msgspec (>=0.18.6,<0.19.0)
Requires-Dist: poetry (>=1.8.2,<2.0.0)
Requires-Dist: tomli-w (>=1.0.0,<2.0.0)
Description-Content-Type: text/markdown

<div align="center">

# `vet`

A poetry plugin for establishing chain of trust  
Inspired by [cargo-vet](https://github.com/mozilla/cargo-vet)

</div>

## Installation

Depending on how you installed poetry, you may need to install `vet` in a different way.

If you used the self-installer:
    
```bash
poetry self add vet
```

If you used pipx:

```bash
pipx inject poetry vet
```

If you used pip:

```bash
pip install vet
```

For more information and troubleshooting, see the [poetry plugin installation docs](https://python-poetry.org/docs/plugins/#using-plugins).

## Usage

### Initialization

Initialize `vet` in your project:

```bash
poetry vet init
```

This will create a [`chain-of-trust` directory](chain-of-trust/) in your project.
See the [generated README](chain-of-trust/README.md) for more information on how to configure `vet`.


### Running checks

To audit your project dependencies, run:

```bash
poetry vet
```

Dependencies are trusted to be either **safe to run** or **safe to deploy**. 
Upon initialization, all dependencies in the `poetry.lock` file are exempt, deemed **safe to run**.

To vet dependencies as **safe to deploy**, run:

```bash
poetry vet --safe-to-deploy
```

### Importing Audits

Modify the `config.toml` file as per the example in [the generated README](chain-of-trust/README.md#imports).

Then run:

```bash
poetry vet lock
```

This will download the audits from the trusted sources specified in the `config.toml` file and store them in the `import.lock` file.

### Auditing

Audit dependencies manually by adding entries in the `audits.toml` file as per the example in [the generated README](chain-of-trust/README.md#audit-file-auditstoml).

## Background

This was thrown together in an afternoon; after the [xz backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) I thought we need better visibility into our dependency trees.

