Working with Codebases
This guide explains how Safety Firewall interacts with your codebases and how to manage your projects efficiently.
What is a Codebase in Safety?
A "codebase" in Safety refers to a project directory that is registered with Safety for vulnerability scanning and protection. When a directory is configured as a codebase:
Its dependencies are automatically scanned for vulnerabilities
Installation activities within that directory are tracked and monitored
Scan results and package installations are reported to Safety Platform
Organization policies are applied to package installations in that directory
Setting Up a Codebase
During Initialization
When you run safety init
, Safety automatically detects Python projects in your current directory and offers to configure them as codebases.
Manual Configuration
To manually set up a directory as a codebase, navigate to the project directory and run:
Follow the prompts to name the codebase and configure it.
What Happens When You Set Up a Codebase
When you configure a codebase, Safety:
Creates a
.safety-project.ini
file in the directoryPerforms an initial scan of the project's dependencies
Uploads the scan results to the Safety Platform
Configures the directory for ongoing monitoring
Automatic Scanning
One of the key benefits of Safety Firewall is automatic dependency scanning:
When Packages Are Installed or Removed
When you run commands like pip install -r requirements.txt
or pip uninstall package-name
within a configured codebase:
Safety Firewall intercepts the command
After the installation/removal completes, a scan is automatically triggered
Scan results are uploaded to Safety Platform
The codebase's security status is updated
This means you don't need to run safety scan
manually after changing dependencies.
Manual Scanning
You can still perform manual scans at any time:
This will scan the current directory's dependencies and update the results in the Safety Platform.
Viewing Codebase Information
In Safety Platform
Your codebases appear in the "Codebases" section of the Safety Platform, where you can:
View vulnerability counts and security status
See detailed scan results for each codebase
Track package installation history
Manage codebase-specific policies
Working with Unregistered Projects
If you install packages in a directory that isn't configured as a codebase:
Safety Firewall still protects you by analyzing packages before installation
Warnings or blocks are applied based on your organization's policies
Installation events are still recorded in the Safety Platform
However, scan results are not automatically uploaded to Platform
Managing Codebase Policies
Each codebase can have specific policies that override organization-level policies:
Click "Codebase Settings"
Go to the "Policies" tab
Configure codebase-specific policies
If you have a local .safety-project.yml
then your local .safety-policy.yml
will no longer take effect. Instead, Safety will use the policy defined for the project in the Safety Platform.
Last updated
Was this helpful?