--trusted-host or --cert as in pip itself

[ZeerDonker]

trafficstars

Is your feature request related to a problem? Please describe.

Private repositories might have alternative certificates. Easily using an extra or alternative index, such as with --extra-index-url of pip-audit might thus fail, if pip-audit can't find that.

Describe the solution you'd like

Pip itself has the following optional arguments it can use. Pip-audit having the same functionality would be nice.

--trusted-host Mark this host or host:port pair as trusted, even though it does not have valid or any HTTPS. --cert Path to PEM-encoded CA certificate bundle. If provided, overrides the default. See 'SSL Certificate Verification' in pip documentation for more information.

[woodruffw]

Thanks for the feature request!

Yes, I think we ultimately want to support this functionality -- pip-audit should accept most of the same index/mirror flags as pip, in part so that our eventual integration with pip (#335) is as smooth as possible.

[woodruffw]

(That being said, we should also make sure that people understand that completely overriding the default package index doesn't change the fact that pip-audit uses pypi.org for vulnerability results, since those requests are not standardized by any current PEP.)

[rawouter]

Is this one still on the roadmap? I'm running into this issue as we're running with a mirror index in a kubernetes cluster which is using cluster address.

[woodruffw]

It's still planned, but we don't currently have anybody allocated to work on it. Now that we use pip as our backend for everything it should be pretty easy to do, however 🙂

If you feel like taking a stab at this, we would greatly appreciate it! Otherwise, we can't guarantee a timeline for it.