Getting Started: Python Projects

Scan Python projects for dependency drift using requirements.txt, pyproject.toml, and other Python manifests with the Vibgrate CLI.

Vibgrate Docs

Vibgrate Help

Overview

Vibgrate discovers Python projects by looking for requirements.txt, pyproject.toml, setup.py, and Pipfile manifests. It evaluates dependency version lag against PyPI.

What Gets Scanned

  • Python version from .python-version, pyproject.toml, or runtime.txt
  • All dependencies from requirements.txt, pyproject.toml, setup.py, or Pipfile
  • Package version lag against the latest PyPI releases
  • EOL risk for end-of-life Python versions

Quick Start

Vibgrate requires Node.js >= 20. Install it separately from your Python toolchain.

npm install -g @vibgrate/cli
vibgrate scan /path/to/python-project

Manifest Support

Vibgrate reads multiple Python manifest formats:

FormatFileNotes
piprequirements.txtStandard pip freeze format
Poetrypyproject.toml[tool.poetry.dependencies]
PEP 621pyproject.toml[project.dependencies]
PipenvPipfileBoth [packages] and [dev-packages]
Setup.pysetup.pyinstall_requires

Example Output

# Scan a Django project
vibgrate scan ./my-django-app

# JSON output for CI
vibgrate scan ./my-django-app --format json --out scan.json

CI Integration: GitLab CI

vibgrate:
  image: node:20
  script:
    - npx @vibgrate/cli scan . --format sarif --out vibgrate.sarif --fail-on error
  artifacts:
    reports:
      sast: vibgrate.sarif

Next Steps

  • Combine Python scanning with Node.js scanning in mixed-language repos
  • Set up drift baselines and fitness functions to track improvement
  • Explore SBOM export to generate CycloneDX or SPDX from your scan results