I have a python repository which uses both packages downloaded from the pip package index as well as a package kept as a TAR file in the repository within the directory /vendor. Normally all packages are installed with pip install -f /vendor -r requirements.txt. I want to run Gitlab’s gemnasium-python-dependency-scanning job against this repository but Gemnasium attempts to download all packages listed in the requirements file, so it fails when it attempts to download the package stored in /vendor from the package index. Is there a way to either:
- Tell Gemnasium to skip installing any packages and instead scan packages that are already installed
- Tell Gemnasium to run pip install with the -f flag
- Allow Gemnasium to continue executing if pip fails to download every package listed in the requirements file
I am using the gemnasium python3.9 image. I have tried first installing the python packages then setting PIP_DEPENDENCY_PATH and DS_PIP_DEPENDENCY_PATH to the python site-package directory.