Safety Authentication in the shell
Closed this issue · 6 comments
- safety version: 3.2.0
- Python version: 3.9.6
- Operating System: macOS
Description
I want to be able to use safety in my CI/CD pipeline but if safety auth is going to return a clickable browser authentication url, it will not be feasible. Is there any way to authenticate in the shell itself?
The SAFETY_API_KEY environment variable seems to work, or using the --key= CLI option: https://docs.safetycli.com/safety-docs/support/invalid-api-key-error#using-the-safety-api-key-in-safety-cli
--key works with safety check not safety scan if I'm not mistaken.
Here is an example in the docs where it is used with safety scan: https://docs.safetycli.com/safety-docs/output/detecting-vulnerabilities-and-sharing-results-via-email#command
Also the variable must work, sine it is used in the official GitHub Action with safety scan: https://github.com/pyupio/safety-action/blob/main/entrypoint.sh
--stage cicd likely makes sense as well, but I could not find a hint about exact effect of this. Probably it ignores the test environment and concentrates on the project (source code) and declared dependencies only, while otherwise it checks the current environment as well, interpreting it as the one the project is finally running in. Just an idea which somehow would make sense to me.
Thanks it's working now (I used --key=API_KEY not --key API_KEY). I had to add --stage cicd or I would get "Invalid value: 'api_key' auth type isn't allowed with the 'Stage.development' stage."
Okay, whatever this "development" stage shall be: Who is doing manual dependency vulnerability checks while coding? Documentation about all of this is missing, or not prominent enough, e.g. searching for stage in the docs does not lead to any other results than examples for --stage cicd usage.
So it is currently not possible to run safety scan without --stage cicd from a non-GUI console?
Thank you so much for the help, forgot to reply promptly, but it worked 🥳