mgpy combines product-level and supply-chain signals: risky code patterns, outdated dependencies and accidental secrets must be visible before release.
Key points
- CLI: On Windows the examples use the recommended
py -3.12 -m <module> ...form (for examplepy -3.12 -m manifestguard ...). On Linux/macOS this usually maps topython3.12 -m .... - Unsafe execution paths such as
eval,execor hardcoded secrets require real code changes instead of comment-based suppression. - Dependency audits only matter when transitive problems are also handled in the release process.
- Wheel and build artifacts belong in the security review as well.
Recommended mgpy workflow
- Fix the obviously critical findings first: secrets, unsafe execution and hardcoded paths.
- Then include package audits and release artifacts in the same security pass.
- Use suppressions only for legitimate, documented exceptions and re-check them regularly.
Quick start
invoke security-scan
py -3.12 -m manifestguard check --extended
py -3.12 -m manifestguard check --report .manifestguard/manifestguard-report.json