Pipfile.lock Processor

The Pipfile.lock processor parses Python Pipfile.lock files to extract resolved package dependencies with their exact versions.

Default File

Pipfile.lock

What It Does

Pipfile.lock is a JSON-formatted lock file generated by Pipenv that contains the exact resolved versions of all dependencies.

The processor:

• Extracts production dependencies from the default section only
• Captures exact versions when specified with == operator
• Ignores development dependencies from the develop section

Supported Formats

Package with Exact Version

{
  "default": {
    "requests": {
      "version": "==2.31.0"
    }
  }
}

Result: Package requests with version 2.31.0

Package with Version Range

{
  "default": {
    "some-package": {
      "version": ">=1.0.0,<2.0.0"
    }
  }
}

Result: Package some-package with no version specified (ranges not resolved)

Package without Version Field

{
  "default": {
    "some-package": {
      "hashes": ["sha256:..."]
    }
  }
}

Result: Package some-package with no version specified

What It Doesn't Detect

The Pipfile.lock scanner only processes the default section of lock files. It does not detect:

• Development dependencies - Packages in the develop section are not extracted
• Standalone Pipfile files - Only Pipfile.lock is supported; Pipfile alone is not processed
• Dependencies not in Pipfile.lock - Any packages installed or used that are not listed in the lock file
• Manually copied Python libraries - Code copied directly into your project
• Embedded or copy-pasted code - Open source code integrated without declaring dependencies

WARNING

If your project uses Pipenv, ensure the lock file is generated before scanning:

pipenv lock

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.