Using Safety in Conda Environments
Using Safety CLI with Anaconda Environments
Overview
Safety CLI is the only dependency scanner powered by Safety's industry-leading vulnerability database. Safety CLI can be used to scan and secure Anaconda projects and environments, with some additional steps required to help make implementation and rollout seamless across your team. This guide will show you how to use Safety CLI effectively with your Anaconda projects.
Table of Contents
General Process
To scan Anaconda environments with Safety CLI, the following general steps are recommended:
Export the Anaconda manifest (list of packages in the Anaconda project):
conda activate your_environment_name conda list -e > requirements.txtSeparate pip-installed packages and conda-installed packages into two separate temporary requirements.txt files (instructions and examples for this below)
Scan the separated requirements files using
safety scanDelete the temporary requirements.txt files that were created
Unix-based Systems (Linux/macOS)
For a streamlined workflow on Unix-based systems, use the following bash script:
#!/bin/bash
# Function to clean up temporary files
cleanup() {
rm -f requirements.txt conda_requirements.txt pip_requirements.txt
}
# Trap to ensure cleanup happens even if the script is interrupted
trap cleanup EXIT
# Generate requirements file
conda list -e > requirements.txt
# Function to separate conda and pip packages
separate_requirements() {
local input_file=$1
local conda_output=$2
local pip_output=$3
> "$conda_output"
> "$pip_output"
while IFS= read -r line
do
if [[ $line =~ ^#.*$ ]] || [[ -z $line ]]; then
echo "$line" >> "$conda_output"
elif [[ $line == *"=pypi_0"* ]]; then
package_info=$(echo "$line" | sed 's/=/==/;s/=pypi_0//')
echo "$package_info" >> "$pip_output"
else
package_info=$(echo "$line" | awk -F= '{print $1"=="$2" #"$3}')
echo "$package_info" >> "$conda_output"
fi
done < "$input_file"
}
# Separate requirements
separate_requirements "requirements.txt" "conda_requirements.txt" "pip_requirements.txt"
# Run safety with all arguments passed to this script
safety "$@"
# Cleanup is handled by the trapUsage
Save the script as
conda_safety.shMake it executable:
chmod +x conda_safety.shRun the script as a replacement for the
safetycommand, using any Safety CLI arguments. For example:
conda activate <your_environment_name>
./conda_safety.sh scanor
conda activate <your_environment_name>
./conda_safety.sh scan --output jsonSetting Up as a Command using an alias
To use the script as a command:
Add an alias in your shell configuration file (
~/.bashrcor~/.zshrc):alias conda-safety='/path/to/your/conda_safety.sh'Reload your shell configuration:
source ~/.bashrc # or ~/.zshrc for Zsh
Now you can use conda-safety as a drop-in replacement for the safety command. Once you've activated your conda environment, use `conda-safety`. For example:
conda activate <your_environment_name>
conda-safety auth
conda-safety scanWindows-based Systems
For Windows users, use the following PowerShell script:
# Function to clean up temporary files
function Cleanup {
Remove-Item -ErrorAction SilentlyContinue requirements.txt, conda_requirements.txt, pip_requirements.txt
}
# Ensure cleanup happens even if the script is interrupted
trap { Cleanup; break }
# Generate requirements file
conda list -e > requirements.txt
# Function to separate conda and pip packages
function Separate-Requirements {
param (
[string]$InputFile,
[string]$CondaOutput,
[string]$PipOutput
)
$null > $CondaOutput
$null > $PipOutput
Get-Content $InputFile | ForEach-Object {
if ($_ -match '^#' -or $_ -eq '') {
$_ >> $CondaOutput
}
elseif ($_ -match '=pypi_0') {
$packageInfo = $_ -replace '=', '==' -replace '=pypi_0', ''
$packageInfo >> $PipOutput
}
else {
$parts = $_ -split '='
"$($parts[0])==$($parts[1]) #$($parts[2])" >> $CondaOutput
}
}
}
# Separate requirements
Separate-Requirements "requirements.txt" "conda_requirements.txt" "pip_requirements.txt"
# Run safety with all arguments passed to this script
safety $args
# Cleanup
CleanupUsage
Save the script as
Conda-Safety.ps1Open PowerShell and navigate to the script's directory
Run the script with Safety CLI arguments:
conda activate <your_environment_name>
.\Conda-Safety.ps1 scanor
conda activate <your_environment_name>
.\Conda-Safety.ps1 scan --output jsonSetting Up as a Command
To use the script as a command in Windows:
Create a directory for the script if it doesn't exist:
mkdir C:\Users\YourUsername\Documents\WindowsPowerShell\ScriptsMove the script to this directory:
Move-Item Conda-Safety.ps1 C:\Users\YourUsername\Documents\WindowsPowerShell\ScriptsAdd the directory to your PATH:
Open System Properties
Click on Environment Variables
Under System Variables, find and edit the PATH variable
Add
C:\Users\YourUsername\Documents\WindowsPowerShell\Scripts
Create a PowerShell profile if you don't have one:
if (!(Test-Path -Path $PROFILE)) { New-Item -ItemType File -Path $PROFILE -Force }Add this line to your PowerShell profile:
Set-Alias conda-safety C:\Users\YourUsername\Documents\WindowsPowerShell\Scripts\Conda-Safety.ps1
Now you can use conda-safety as a command in PowerShell as a drop-in replacement for the safety command. This requires safety and conda to already be installed and available in Powershell.
Important Note
Conda-installed packages may differ from standard PyPI packages. As a result, security findings for conda-installed packages may differ from PyPi equivalent packages. Always verify findings for conda-installed packages against the specific versions in your Anaconda environment.
Help and Implementation Assistance
Anaconda environments and setups vary. If the instructions above do not work or you encouter any issues, please don't hesitate to reach out to our support team at [email protected]. We're here to help you ensure the security of your Python projects, regardless of your environment setup.
Last updated
Was this helpful?