Add support for pixi installations with pixi.lock files and pyproject.toml or pixi.toml

[benglewis]

Description

The new package manager in Python and Rust land with the name pixi is really fast, convenient (it has the optional to create feature sections, platform-specific dependencies and different environments, which can share dependency feature blocks, as well as automatic lock file maintenance, and most importantly, for us, support both for PyPI packages as well as Conda packages from conda-forge and other repositories like nvidia and pytorch).

Since it uses a different lock file than the existing packages, I believe that Trivy will not work as currently built. I may be wrong and I would be happy to discover that.

We are currently using SafetyCLI to scan the pyproject.toml for regular PyPI packages and jake to scan our Conda packages using micromamba to get the list of the package versions - yes it is a bit ugly.

Target

Git Repository

Scanner

Vulnerability

[nikpivkin]

Hi @benglewis !

Is pixi popular? I found <400 results using pixi.lock on GitHub. And <600 for pixi.toml https://github.com/search?q=path%3Apixi.toml&type=code.

[marcelovilla]

Seems like both searches are over 2k results now. We're transitioning from pip/conda to uv/pixi in one of our projects and we'd love to see this happening :)

[benglewis]

It is very new, so it isn’t extremely popular yet, but it is the best solution for the problems that it solves. There aren’t really any better solutions out there. I also imagine that those that need lock files are mostly not publishing to public GitHub repos

[johndutchover]

Pixi is growing fast and gaining popularity. prefix.dev is doing some great work.

[nikpivkin]

@knqyf263 WDYT?

[knqyf263]

We'll wait for comments and upvotes from the community to see how much this feature is needed.

[aarz-snl]

Commenting -- wish we had this as well