uv
uv copied to clipboard
astral-sh
Feature request - pre-build / pre-read hook for security scanning
Hi UV devs! Is it possible to make uv call some external tool before it attempts to build a package from source? Essentially, I'm looking for a way to pass all artifacts that UV fetches from certain external indexes through a security scanner before they are passed to unzip and more importantly, to python for execution (in case of sdists). Is that possible? If not, would it be possible to add such a feature? I was not able to find much on hooks available in uv right now.
@samypr100 no, pip doesn't have such a feature. Nearest would be "pip download --only-binary :all:" + scanning the downloaded files. In our org we have made some patches to pip so I know where it handles download and file saving, also since pip is python it was easy for me to patch; But we seek to improve performance, and I'm looking at uv now. I would, however, like to avoid maintaining a custom uv fork, if possible, right now my rust skills are zero.
Interesting. Closest might be something like discussed in https://github.com/astral-sh/uv/issues/3400, althought albeit trickier due to the streaming nature since in your case you'd want to fully download first, "scan", and then extract, etc. which is afaik not how uv works under the hood even without the scan step.
From uv's perspective it might be better to rely on https://github.com/astral-sh/uv/issues/3163 in the mean time once there's a suitable design / implementation (e.g. like https://github.com/astral-sh/uv/issues/3163#issuecomment-2481505055).
Hi @samypr100! #3163 won't be good enough, because some packages publish only sdist; we have to use --no-build to ensure security during resolution workflow, and for such packages this flag would cause failure to resolve. Therefore at least for sdists, we need some callback to pass the artifact through security validation before it is used for build.