Using Poetry with RepoForge.io

Introduction

Poetry is the recommended tool for working with Python projects in RepoForge.io because it manages dependencies efficiently and automatically includes the necessary metadata. This makes it easier for RepoForge.io's vulnerability scanner to tag and identify potential risks in your packages. This guide will show you how to set up Poetry with RepoForge.io, publish your projects, manage vulnerabilities, and install packages from RepoForge.io.

Setting Up Poetry with RepoForge.io

To use Poetry with RepoForge.io, you need to register your RepoForge.io repository and set up authentication. Follow the steps below:

1. Register your RepoForge.io repository

First, you need to configure Poetry to recognize your RepoForge.io repository. Replace the ${UNIQUE_REPOFORGE_URL} with your specific RepoForge.io repository URL:

poetry config repositories.repoforge ${UNIQUE_REPOFORGE_URL}

2. Provide your credentials

Next, you need to set up authentication. You can do this using your RepoForge.io account credentials or an access token.

Using your username and password

Provide your RepoForge.io username and password that you use to log into the RepoForge.io UI:

poetry config http-basic.repoforge {username} {password}

Using an access token

Alternatively, you can create an access token with the necessary Python permissions in the RepoForge.io UI and use it to authenticate. Replace {access token} with your actual access token. The token can be generated from the RepoForge.io dashboard, and must assume the Python - Full access role in order to be able to write to your RepoForge.io repository.

poetry config http-basic.repoforge anystring {access token}

For more information, refer to Authentication and permissions

Vulnerability Management in RepoForge.io with Poetry

RepoForge.io includes a powerful vulnerability scanner that helps you identify known security issues in your dependencies. One of the key advantages of using Poetry is that it manages your package metadata in a way that can be easily interpreted by RepoForge.io, meaning that its effortless to track any security issues in your project. Let’s see how it works by adding a package with a known vulnerability.

1. Add a vulnerable package

For example, let’s add a version of Django known to have vulnerabilities:

poetry add django==5.0.0

2. Publish your project

Re-publish your project to RepoForge.io:

poetry publish --build --repository repoforge

3. Check for vulnerabilities

Log in to the RepoForge.io dashboard and navigate to the vulnerabilities page. You should now see a new vulnerability marked against your project.

Ongoing Vulnerability Monitoring

RepoForge.io’s advanced monitoring feature (available in the Advanced version) continuously tracks vulnerabilities even after your package has been published. If a new vulnerability is discovered in one of your dependencies, you will be notified, allowing you to address the issue promptly.

Installing Packages from RepoForge.io into Your Poetry Project

To use packages hosted in RepoForge.io within your existing Poetry projects, you need to add your RepoForge.io repository as a source.

Add RepoForge.io as a source

Run the following command, replacing the URL with your specific RepoForge.io repository URL:

poetry source add repoforge ${UNIQUE_REPOFORGE_URL}

This will add the following configuration to your pyproject.toml file:

[[tool.poetry.source]]
name = "repoforge"
url = "${UNIQUE_REPOFORGE_URL}"
priority = "primary"

Add dependencies from RepoForge.io:

You can now add dependencies from your RepoForge.io repository using:

poetry add --source repoforge my-project

This setup allows you to fully leverage Poetry with RepoForge.io, providing streamlined package management, publishing, and vulnerability scanning for your Python projects. If you have the Advanced version of RepoForge.io, you'll benefit from active vulnerability monitoring to keep your projects secure even after publishing.