Overview
Vibgrate discovers Python projects by looking for requirements.txt, pyproject.toml, setup.py, and Pipfile manifests. It evaluates dependency version lag against PyPI.
What Gets Scanned
- Python version from
.python-version,pyproject.toml, orruntime.txt - All dependencies from
requirements.txt,pyproject.toml,setup.py, orPipfile - Package version lag against the latest PyPI releases
- EOL risk for end-of-life Python versions
Quick Start
Vibgrate requires Node.js >= 20. Install it separately from your Python toolchain.
npm install -g @vibgrate/cli
vibgrate scan /path/to/python-projectManifest Support
Vibgrate reads multiple Python manifest formats:
| Format | File | Notes |
|---|---|---|
| pip | requirements.txt | Standard pip freeze format |
| Poetry | pyproject.toml | [tool.poetry.dependencies] |
| PEP 621 | pyproject.toml | [project.dependencies] |
| Pipenv | Pipfile | Both [packages] and [dev-packages] |
| Setup.py | setup.py | install_requires |
Example Output
# Scan a Django project
vibgrate scan ./my-django-app
# JSON output for CI
vibgrate scan ./my-django-app --format json --out scan.json
CI Integration: GitLab CI
vibgrate:
image: node:20
script:
- npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
artifacts:
reports:
sast: vibgrate.sarif
Next Steps
- Combine Python scanning with Node.js scanning in mixed-language repos
- Set up drift baselines and fitness functions to track improvement
- Explore SBOM export to generate CycloneDX or SPDX from your scan results