PyPI Avoid Public Repositories

ID

avoid_public_repositories_pip

Severity

high

Family

Avoid public repositories

Description

Some organizations may have the policy of using private repositories only, with a carefully curated approach to load dependencies into their private repository from the public repositories.

This detector checks if in the configuration there is a public repository configured. Or only has the private repositories configured.

The public repository configured to check is:

  https://pypi.org/simple

you can change, to add or remove repositories, in the public-repositories parameter. You can configure private repositories, in the private-repositories parameter.

If you configure private repositories, the public will not apply. The detector only check that url repositories in requirements files are in private repositories configured.

Security

Organizations have the policy of restricting artifacts to private inner repositories for security reasons. For example, to avoid download packages that have not been checked by the security team.

Examples

--index-url https://pypi.org/simple

Mitigation / Fix

You can remove the repositories from the configuration files and use the permitted repositories by your organization.

--index-url https://permitted-repo/