Support pip-audit configuration from pyproject.toml

[dnovvak]

Is your feature request related to a problem? Please describe.

Yes, having a single CI workflow for multiple repositories we cannot easily ignore vulnerabilities affecting single repository only. Also specifying extra indexes per repository is severely hampered here.

Describe the solution you'd like

With pip-audit configuration in pyproject.toml we could specify custom settings just on single repository level having the CI untouched (CI is executing always poetry run pip-audit).

For example:

# pyproject.toml

[tool.pip-audit]
ignore-vuln = [
    "CVE-TO-IGNORE",
]
extra-index-url = [
    "https://my-pypi.com/simple",
]

Describe alternatives you've considered

Using another tool.

Additional context

The most used code quality tools for python support configuration from pyproject.toml. For example:

• Ruff: https://docs.astral.sh/ruff/configuration/
• Black: https://black.readthedocs.io/en/stable/usage_and_configuration/the_basics.html#configuration-via-a-file
• PyTest: https://docs.pytest.org/en/7.4.x/reference/customize.html#pyproject-toml
• Coverage: https://coverage.readthedocs.io/en/7.3.2/config.html

So I wonder that the official tool from PyPA does not follow community standards.

[di]

So I wonder that the official tool from PyPA does not follow community standards.

This is mostly a volunteer-run project, it just hasn't been implemented yet. I think we're all likely in favor of this.

[woodruffw]

To add on to what @di said: it's not that we don't follow community standards, but that pip-audit simply does not have any configuration file at the moment.

There are a number of complexities involved in adding one, such as determining how best to interoperate with pip's own configuration; see #193 for some details on that.

[dnovvak]

Thank you for adding some context to that @di @woodruffw!

I just saw that a few issues mention pyproject.toml as a possible resolution but it wasn't clear whether it's on your roadmap and couldn't find any ticket discussing this feature as a whole.

By the way, are you able to say something about the priority of this feature?

[woodruffw]

By the way, are you able to say something about the priority of this feature?

It's not an immediate priority I believe, but I think we'd be happy to review a PR that makes these changes.

But before that, there should be some discussion on this issue about what the scope of the configuration will be:

1. Will there be settings the mirror each of pip-audit's flags, or only some?
2. Will there be settings that conflict with/take precedence over things in pip.conf?
3. How should we handle discovery, i.e. should we only load from $CWD or keep walking up directories until we hit a pyproject.toml?
4. How should we allow configuration for projects that don't use pyproject.toml, if we want to support this?

[albertodiazdorado]

I'd love if this was part of pip-audit :)

[woodruffw]

I believe #694 (comment) covers the preconditions for this feature. We're interested in hearing from users about each of the bullets in that comment.