Safety scan command doesn't detect my pyproject.toml (or my env.yml) file with all its dependencies

[Alex-ley-scrub]

• safety version:
  safety, version 3.0.1
• Python version:
  py39, py310, py311 (same on all)
• Operating System:
  MacOS Sonoma 14.3.1 (MacBook Pro M1)

Description

• Wanted to use safety scan out of the box on my local repo dev environment
• But safety failed to find/read/parse my pyproject.toml file
• But when I used uv pip compile pyproject.toml -o requirements.txt and then safety scan it did work (workaround I will use for now)
• However, pyproject.toml is standard nowadays - https://packaging.python.org/en/latest/guides/writing-pyproject-toml/
• So I'd expect it to work with this out of the box. It also mentions it in the docs: https://docs.safetycli.com/safety-docs/safety-cli-3/quick-start-guide#id-3.-running-your-first-scan
• It also doesn't find my env.yml file where I define my conda environment but that's more expected. I actually only keep the bare minimum in there (packages that don't install nicely with pip only and/or C libs that python packages wrap like python-magic wraps libmagic etc.) exactly for this reason - as dependabot also doesn't find/read/parse env.yml files (but it does find/read/parse and bump pyproject.toml files)
• Am I doing something wrong with safety scan or does it not support pyproject.toml or is it a bug?

What I Did

$ ls -al pyproject.toml
-rw-r--r--  1 alex  staff  5000 Feb 24 15:14 pyproject.toml

$ safety scan          
Safety 3.0.1 scanning /Users/alex/repos/Backend
2024-02-24 18:22:12 UTC

Account: Alex Ley, [email protected] 
 Git branch: fix/github_actions_versions
 Environment: development
 Scan policy: None, using Safety CLI default policies

Tested 0 dependencies for known security issues using default Safety CLI policies
0 security issues found, 0 fixes suggested

$ uv pip compile pyproject.toml -o requirements.txt 
Resolved 178 packages in 408ms
warning: The package `pytorch-lightning==2.0.0` does not have an extra named `jsonargparse`.

$ safety scan                                       
Safety 3.0.1 scanning /Users/alex/repos/Backend
2024-02-24 18:22:46 UTC

Account: Alex Ley, [email protected] 
 Git branch: fix/github_actions_versions
 Environment: development
 Scan policy: None, using Safety CLI default policies

Python detected. Found 1 Python requirement file

Dependency vulnerabilities detected:

📝 requirements.txt:
...

[Alex-ley-scrub]

perhaps interestingly (or not) - this works - it scans my /Users/alex/miniconda/envs/py311/lib/python3.11/site-packages rather than my pyproject.toml file but that is also pretty ideal:

uv pip uninstall safety
uv pip uninstall dparse
uv pip install safety==2.3.5
safety check

  Safety v2.3.5 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /Users/alex/miniconda/envs/py311/lib/python3.11/site-packages

this also works but scans even more stuff:

uv pip uninstall safety
uv pip uninstall dparse
uv pip install safety==3.0.1 --prerelease=allow
safety check

  Safety v3.0.1 is scanning for Vulnerabilities...
  Scanning dependencies in your environment:

  -> /Users/alex/miniconda/envs/py311/bin
  -> /Users/alex/miniconda/envs/py311/lib/python311.zip
  -> /Users/alex/miniconda/envs/py311/lib/python3.11/lib-dynload
  -> /Users/alex/miniconda/envs/py311/lib/python3.11
  -> /Users/alex/repos/Backend
  -> /Users/alex/miniconda/envs/py311/lib/python3.11/site-packages

Is this safety check a better command for me to run than safety scan for my use case (scanning my repo env dependencies)?

[dylanpulver]

@Alex-ley-scrub With the latest releases we now support pyproject.toml scanning!