[BUGFIX] sonarcloud: Omitting "--only-binary :all:" can lead to the execution of setup scripts. Make sure it is safe here.

Gonzalo Diaz · Gonzalo Diaz · commit f9486f89309b · 2026-05-29T22:46:21.000-04:00
diff --git a/.github/workflows/snyk-code.yml b/.github/workflows/snyk-code.yml
@@ -15,6 +15,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@master
+      - name: Install Pipenv
+        run: >
+          sudo apt install pipenv
+      - name: Install dependencies with Pipenv
+        run: |
+          pipenv sync --dev
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/python@9adf32b1121593767fc3c057af55b55db032dc04
         continue-on-error: true # To make sure that SARIF upload gets called
@@ -23,7 +29,7 @@ jobs:
         with:
           args: >
             --print-deps
-            --file=Pipfile.lock
+            --file=Pipfile
             --command=python3
             --sarif-file-output=snyk-code.sarif
       - name: Upload result to GitHub Code Scanning
diff --git a/Dockerfile b/Dockerfile
@@ -49,7 +49,8 @@ COPY ./CODE_OF_CONDUCT.md ${WORKDIR}/
 
 # Code source
 COPY ./src/ ${WORKDIR}/src
-COPY ./requirements.txt ${WORKDIR}/
+COPY Pipfile ${WORKDIR}/
+COPY Pipfile.lock ${WORKDIR}/
 COPY ./setup.cfg ${WORKDIR}/
 COPY ./Makefile ${WORKDIR}/
 
