From 23a75f5d67fb5330d089745de23c76ab73ef0893 Mon Sep 17 00:00:00 2001 From: PaulKMueller Date: Fri, 4 Jul 2025 16:32:19 +0200 Subject: [PATCH 1/5] Add conda-deny documentation --- docs/integration/extensions/conda_deny.md | 104 ++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 docs/integration/extensions/conda_deny.md diff --git a/docs/integration/extensions/conda_deny.md b/docs/integration/extensions/conda_deny.md new file mode 100644 index 0000000000..5cd87586b5 --- /dev/null +++ b/docs/integration/extensions/conda_deny.md @@ -0,0 +1,104 @@ +!!!tip `conda-deny` in one command: + In your favorite `pixi` project, run: + ```bash + pixi exec conda-deny --osi + ``` + + This will check your project for license compliance against the list of [OSI approved licenses](https://opensource.org/licenses). + +[conda-deny](https://github.com/Quantco/conda-deny) is a CLI tool for checking software environment dependencies for license compliance. +Compliance is checked with regard to an allowlist of licenses provided by the user. + +### 💿 Installation +You can install `conda-deny` using `pixi`: + +```bash +pixi global install conda-deny +``` + +Or by downloading our pre-built binaries from the [releases page](https://github.com/quantco/conda-deny/releases). + +### 🎯 Usage + +![conda-deny demo](https://raw.githubusercontent.com/Quantco/conda-deny/refs/heads/main/.github/assets/demo/demo-light.gif#gh-light-mode-only) +![conda-deny demo](https://raw.githubusercontent.com/Quantco/conda-deny/refs/heads/main/.github/assets/demo/demo-dark.gif#gh-dark-mode-only) + +`conda-deny` can be configured in your `pixi.toml` or `pyproject.toml` (`pixi.toml` is preferred). +The tool expects a configuration in the following format: + +```toml +[tool.conda-deny] +#-------------------------------------------------------- +# General setup options: +#-------------------------------------------------------- +license-allowlist = "https://raw.githubusercontent.com/quantco/conda-deny/main/tests/test_remote_base_configs/conda-deny-license_allowlist.toml" # or ["license_allowlist.toml", "other_license_allowlist.toml"] +platform = "linux-64" # or ["linux-64", "osx-arm64"] +environment = "default" # or ["default", "py39", "py310", "prod"] +lockfile = "environment/pixi.lock" # or ["environment1/pixi.lock", "environment2/pixi.lock"] +# lockfile also supports glob patterns: +# lockfile = "environments/**/*.lock" + +#-------------------------------------------------------- +# License allowlist directly in configuration file: +#-------------------------------------------------------- +safe-licenses = ["MIT", "BSD-3-Clause"] +ignore-packages = [ + { package = "make", version = "0.1.0" }, +] +``` + +After the installation, you can run `conda-deny check` in your project. +This checks the dependencies defined by your `pixi.lock` against your allowlist. + +### 🔒 Authorized access to allowlist + +If a Bearer Token is needed to access your allowlist, you can provide it using `CONDA_DENY_BEARER_TOKEN`. +An example use case would be a private repository containing your allowlist. + + + +`conda-deny` supports different output formats via the `--output` (or `-o`) flag. +Output formatting works for both, the `list` and the `check` command. + + +### Output Formats +=== "CSV" + ```bash + $ conda-deny list --output csv + package_name,version,license,platform,build,safe + _openmp_mutex,4.5,BSD-3-Clause,linux-aarch64,2_gnu,false + _openmp_mutex,4.5,BSD-3-Clause,linux-64,2_gnu,false + ... + ``` + + +=== "JSON" + ```bash + $ conda-deny list --output json-pretty + { + "unsafe": [ + { + "build": "conda_forge", + "license": { + "Invalid": "None" + }, + "package_name": "_libgcc_mutex", + "platform": "linux-64", + "version": "0.1" + }, + { + "build": "h57d6b7b_14", + "license": { + "Invalid": "LGPL-2.0-or-later AND LGPL-2.0-or-later WITH exceptions AND GPL-2.0-or-later AND MPL-2.0" + }, + "package_name": "_sysroot_linux-aarch64_curr_repodata_hack", + "platform": "noarch", + "version": "4" + }, + ... + ``` + +!!!tip Creating License Bundles + By running `conda-deny bundle`, `conda-deny` will create a directory containing all your dependencies' original license files. + + This can come in handy when creating SBOMs or sharing compliance information with other people. From 3138674e2327469602c523d343cdf06395bdb7d4 Mon Sep 17 00:00:00 2001 From: PaulKMueller Date: Fri, 4 Jul 2025 16:35:42 +0200 Subject: [PATCH 2/5] Add to navigation --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index f82b860d48..0bcd508faa 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -160,6 +160,7 @@ nav: - Pixi Diff-to-markdown: integration/ci/updates_github_actions.md - Extensions: - Introduction: integration/extensions/introduction.md + - Conda Deny: integration/extensions/conda_deny.md - Pixi Diff: integration/extensions/pixi_diff.md - Pixi Diff-to-markdown: integration/ci/updates_github_actions.md - Pixi Inject: integration/extensions/pixi_inject.md From 4a7ba8a12cb33ee71eba2d499db5dc69ee697a72 Mon Sep 17 00:00:00 2001 From: PaulKMueller Date: Fri, 4 Jul 2025 20:04:53 +0200 Subject: [PATCH 3/5] Move docs to "Third Party" section --- docs/integration/{extensions => third_party}/conda_deny.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/integration/{extensions => third_party}/conda_deny.md (100%) diff --git a/docs/integration/extensions/conda_deny.md b/docs/integration/third_party/conda_deny.md similarity index 100% rename from docs/integration/extensions/conda_deny.md rename to docs/integration/third_party/conda_deny.md From 2b6af645377ee902072574ef2baf12b1a6e928c5 Mon Sep 17 00:00:00 2001 From: PaulKMueller Date: Fri, 4 Jul 2025 20:15:47 +0200 Subject: [PATCH 4/5] Add to navigation --- docs/integration/third_party/conda_deny.md | 2 +- mkdocs.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/integration/third_party/conda_deny.md b/docs/integration/third_party/conda_deny.md index 5cd87586b5..6c4b457574 100644 --- a/docs/integration/third_party/conda_deny.md +++ b/docs/integration/third_party/conda_deny.md @@ -100,5 +100,5 @@ Output formatting works for both, the `list` and the `check` command. !!!tip Creating License Bundles By running `conda-deny bundle`, `conda-deny` will create a directory containing all your dependencies' original license files. - + This can come in handy when creating SBOMs or sharing compliance information with other people. diff --git a/mkdocs.yml b/mkdocs.yml index 0bcd508faa..6202922be2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -160,13 +160,13 @@ nav: - Pixi Diff-to-markdown: integration/ci/updates_github_actions.md - Extensions: - Introduction: integration/extensions/introduction.md - - Conda Deny: integration/extensions/conda_deny.md - Pixi Diff: integration/extensions/pixi_diff.md - Pixi Diff-to-markdown: integration/ci/updates_github_actions.md - Pixi Inject: integration/extensions/pixi_inject.md - Pixi Install-to-prefix: integration/extensions/pixi_install_to_prefix.md - Pixi Pack: deployment/pixi_pack.md - Third Party: + - Conda Deny: integration/third_party/conda_deny.md - Direnv: integration/third_party/direnv.md - Starship: integration/third_party/starship.md - Advanced: From 7d75089ade3e62cbceb2d691229ca830d335a98c Mon Sep 17 00:00:00 2001 From: Julian Hofer Date: Tue, 8 Jul 2025 16:40:23 +0200 Subject: [PATCH 5/5] Small fix --- docs/integration/third_party/conda_deny.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/integration/third_party/conda_deny.md b/docs/integration/third_party/conda_deny.md index 6c4b457574..f5a76e8dd8 100644 --- a/docs/integration/third_party/conda_deny.md +++ b/docs/integration/third_party/conda_deny.md @@ -1,4 +1,5 @@ -!!!tip `conda-deny` in one command: + +!!!tip "`conda-deny` in one command:" In your favorite `pixi` project, run: ```bash pixi exec conda-deny --osi