uv.lock Processor

The uv.lock processor parses Python uv.lock files to extract all resolved package dependencies with their exact versions.

Default File

uv.lock

What It Does

uv.lock is a TOML-formatted lock file generated by uv (a fast Python package installer and resolver). It contains the exact resolved versions of all dependencies.

The processor:

• Extracts all packages from the lock file (both direct and transitive dependencies)
• Captures exact versions from the version field
• Processes all entries in the [[package]] array

Supported Formats

Package with Name and Version

[[package]]
name = "requests"
version = "2.31.0"

Result: Package requests with version 2.31.0

Malformed Entry

[[package]]
name = "incomplete-package"
# Missing version field

Result: Entry skipped (both name and version are required)

What It Doesn't Detect

The uv.lock scanner only processes package entries in lock files. It does not detect:

Malformed entries:

• Missing name field - Package entries without a name are skipped
• Missing version field - Package entries without a version are skipped

Not detected from the project:

• Standalone pyproject.toml files - Only uv.lock is supported; pyproject.toml alone is not processed
• Dependencies not in uv.lock - Any packages installed or used that are not listed in the lock file
• Manually copied Python libraries - Code copied directly into your project
• Embedded or copy-pasted code - Open source code integrated without declaring dependencies

WARNING

Ensure the lock file is up to date before scanning:

uv lock

For complete open source detection including undeclared components and copied code, enable the OSS Knowledge Base scanning option in the Scanners step, which analyzes actual file content to identify all open source usage.