Skip to main content
Redhat Developers  Logo
  • Products

    Featured

    • Red Hat Enterprise Linux
      Red Hat Enterprise Linux Icon
    • Red Hat OpenShift AI
      Red Hat OpenShift AI
    • Red Hat Enterprise Linux AI
      Linux icon inside of a brain
    • Image mode for Red Hat Enterprise Linux
      RHEL image mode
    • Red Hat OpenShift
      Openshift icon
    • Red Hat Ansible Automation Platform
      Ansible icon
    • Red Hat Developer Hub
      Developer Hub
    • View All Red Hat Products
    • Linux

      • Red Hat Enterprise Linux
      • Image mode for Red Hat Enterprise Linux
      • Red Hat Universal Base Images (UBI)
    • Java runtimes & frameworks

      • JBoss Enterprise Application Platform
      • Red Hat build of OpenJDK
    • Kubernetes

      • Red Hat OpenShift
      • Microsoft Azure Red Hat OpenShift
      • Red Hat OpenShift Virtualization
      • Red Hat OpenShift Lightspeed
    • Integration & App Connectivity

      • Red Hat Build of Apache Camel
      • Red Hat Service Interconnect
      • Red Hat Connectivity Link
    • AI/ML

      • Red Hat OpenShift AI
      • Red Hat Enterprise Linux AI
    • Automation

      • Red Hat Ansible Automation Platform
      • Red Hat Ansible Lightspeed
    • Developer tools

      • Red Hat Trusted Software Supply Chain
      • Podman Desktop
      • Red Hat OpenShift Dev Spaces
    • Developer Sandbox

      Developer Sandbox
      Try Red Hat products and technologies without setup or configuration fees for 30 days with this shared Openshift and Kubernetes cluster.
    • Try at no cost
  • Technologies

    Featured

    • AI/ML
      AI/ML Icon
    • Linux
      Linux Icon
    • Kubernetes
      Cloud icon
    • Automation
      Automation Icon showing arrows moving in a circle around a gear
    • View All Technologies
    • Programming Languages & Frameworks

      • Java
      • Python
      • JavaScript
    • System Design & Architecture

      • Red Hat architecture and design patterns
      • Microservices
      • Event-Driven Architecture
      • Databases
    • Developer Productivity

      • Developer productivity
      • Developer Tools
      • GitOps
    • Secure Development & Architectures

      • Security
      • Secure coding
    • Platform Engineering

      • DevOps
      • DevSecOps
      • Ansible automation for applications and services
    • Automated Data Processing

      • AI/ML
      • Data Science
      • Apache Kafka on Kubernetes
      • View All Technologies
    • Start exploring in the Developer Sandbox for free

      sandbox graphic
      Try Red Hat's products and technologies without setup or configuration.
    • Try at no cost
  • Learn

    Featured

    • Kubernetes & Cloud Native
      Openshift icon
    • Linux
      Rhel icon
    • Automation
      Ansible cloud icon
    • Java
      Java icon
    • AI/ML
      AI/ML Icon
    • View All Learning Resources

    E-Books

    • GitOps Cookbook
    • Podman in Action
    • Kubernetes Operators
    • The Path to GitOps
    • View All E-books

    Cheat Sheets

    • Linux Commands
    • Bash Commands
    • Git
    • systemd Commands
    • View All Cheat Sheets

    Documentation

    • API Catalog
    • Product Documentation
    • Legacy Documentation
    • Red Hat Learning

      Learning image
      Boost your technical skills to expert-level with the help of interactive lessons offered by various Red Hat Learning programs.
    • Explore Red Hat Learning
  • Developer Sandbox

    Developer Sandbox

    • Access Red Hat’s products and technologies without setup or configuration, and start developing quicker than ever before with our new, no-cost sandbox environments.
    • Explore Developer Sandbox

    Featured Developer Sandbox activities

    • Get started with your Developer Sandbox
    • OpenShift virtualization and application modernization using the Developer Sandbox
    • Explore all Developer Sandbox activities

    Ready to start developing apps?

    • Try at no cost
  • Blog
  • Events
  • Videos

Manage Python security with Thoth's cloud-based dependency resolver

March 7, 2022
Fridolin Pokorny Maya Costantini
Related topics:
ContainersData ScienceDevSecOpsKubernetesPython
Related products:
Red Hat OpenShift

Share:

    Developers and data scientists who want to build healthy and high-performance Python applications often face challenges related to dependency management, including security risks introduced by the installation of dependencies. This article presents a quick introduction to managing Python dependencies with Project Thoth. The included video tutorial shows you how Thoth's cloud-based resolver finds problems in your Python dependencies and execution environment. Thoth's resolver is a drop-in replacement for other Python resolvers such as pip, Pipenv, or Poetry. Thoth's resolution process can also be used in containerized environments.

    Thoth security for Python applications

    Containerized environments offer a way to deploy applications to cluster orchestrators such as Kubernetes and Red Hat OpenShift. The base container image used also provides software that can be shipped with the application. Figure 1 shows the hardware and software underlying a typical Python application.

    Various hardware, operating system, and Python library dependencies form the environment for an application.
    Figure 1. Various hardware, operating system, and Python library dependencies form the environment for an application.

    Thoth can be used to discover and guide the security aspects of containerized environments through successful dependency resolution. The following video tutorial is an overview of how Thoth's cloud-based resolver resolves Python application dependencies.

    Managing vulnerabilities with Thoth

    Once you have an idea of how Thoth works, you can get started using its resolver to manage your Python dependencies. Our Managing vulnerabilities with Thoth tutorial guides you through installing and setting up the environment for Thoth's command-line utility, Thamos. You can start by using pip to install the utility:

    pip install thamos

    Once you've installed Thamos, you can follow the instructions in the tutorial to inspect an application present in the Thoth Station cli-examples repository. The tutorial also illustrates how to manage applications and application dependencies using the classic Game of Life application:

    git clone https://github.com/thoth-station/cli-examples
    cd cli-examples
    thamos advise

    The tutorial also presents a variety of command outputs and shows how to detect security flaws in your Python application dependencies. The linked extended video can walk you through key Thoth resolver features.

    Developing Project Thoth

    Project Thoth started as a research project in the Artificial Intelligence Center of Excellence (AICoE) group in 2018. Initially, the Thoth team consisted of two engineers, but it quickly expanded with new interns and hires. From 2018 until the time of this writing, the core repositories of Project Thoth accepted contributions from 49 engineers, approximately half of them external to the Thoth team. The number of repositories associated with the thoth-station organization on GitHub has grown to more than 180 (60 of which are now archived).

    Note: Project Thoth is also known as AIDevSecOps because of its role as part of a DevSecOps strategy.

    To support data aggregation, we've switched our main database twice, and during the whole development phase, the project has been deployed on seven OpenShift clusters. The system generated more than 1.9 TiB of data in these clusters, which were stored in Ceph. The production PostgreSQL database keeps more than 27GiB of mostly Python dependency data, aggregated by background aggregation logic that uses Argo Workflows and Strimzi.

    Argo CD helps guarantee GitOps best practices and supports observability through Grafana and OpenShift metrics exposed by OpenShift itself. Tekton and AICoE-CI help automate builds of container images that are hosted on Quay. Prow checks make sure that developers deliver high-quality contributions.

    Engineers have given talks about various parts of the Thoth project more than 25 times in North America and Europe.

    All the statistics were aggregated as of this writing and we believe the project will continue to expand. You can learn more about Project Thoth by reading the following articles on Red Hat Developer:

    • Inspecting containerized Python applications in a cluster

    • How to self-host a Python package index using Pulp

    • Extracting dependencies from Python packages

    • Extracting information from Python source code

    • Prevent Python dependency confusion attacks with Thoth

    • Build and extend containerized applications with Project Thoth

    • Customize Python dependency resolution with machine learning

    • Generating pseudorandom numbers in Python

    • Secure your Python applications with Thoth recommendations

    • Find and compare Python libraries with project2vec

    • Thoth prescriptions for resolving Python dependencies

    • Resolve Python dependencies with Thoth Dependency Monkey

    • micropipenv: Installing Python dependencies in containerized applications

    • Continuous learning in Project Thoth using Kafka and Argo

    • Can we consider --editable a bad practice?

    • Managing Python dependencies with the Thoth JupyterLab extension

    • Use Kebechet machine learning to perform source code operations

    • AI software stack inspection with Thoth and TensorFlow

    • Microbenchmarks for AI applications using Red Hat OpenShift on PSI in project Thoth

    Connect with the Thoth team!

    As part of Project Thoth, we are accumulating knowledge to help Python developers create healthy applications. If you would like to follow updates, feel free to subscribe to our YouTube channel or follow us on the @ThothStation Twitter handle.

    Even though the project is in its early stages, we are constantly improving its stability and reliability. We would be happy for any feedback. To send us feedback or get involved in improving the Python ecosystem, please contact the Thoth Station support repository. You can also directly reach out to the Thoth team on Twitter. You can report any issues you've spotted in open source Python libraries to the support repository or directly write prescriptions for the resolver and send them to our prescriptions repository. By participating in these ways, you can help the Python cloud-based resolver come up with better recommendations for the whole Python community.

    Last updated: September 20, 2023

    Related Posts

    • Customize Python dependency resolution with machine learning

    • Secure your Python applications with Thoth recommendations

    • Build and extend containerized applications with Project Thoth

    • Resolve Python dependencies with Thoth Dependency Monkey

    • Prevent Python dependency confusion attacks with Thoth

    • Thoth prescriptions for resolving Python dependencies

    Recent Posts

    • How to use RHEL 10 as a WSL Podman machine

    • MINC: Fast, local Kubernetes with Podman Desktop & MicroShift

    • How to stay informed with Red Hat status notifications

    • Getting started with RHEL on WSL

    • llm-d: Kubernetes-native distributed inferencing

    Red Hat Developers logo LinkedIn YouTube Twitter Facebook

    Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform

    Build

    • Developer Sandbox
    • Developer Tools
    • Interactive Tutorials
    • API Catalog

    Quicklinks

    • Learning Resources
    • E-books
    • Cheat Sheets
    • Blog
    • Events
    • Newsletter

    Communicate

    • About us
    • Contact sales
    • Find a partner
    • Report a website issue
    • Site Status Dashboard
    • Report a security problem

    RED HAT DEVELOPER

    Build here. Go anywhere.

    We serve the builders. The problem solvers who create careers with code.

    Join us if you’re a developer, software engineer, web designer, front-end designer, UX designer, computer scientist, architect, tester, product manager, project manager or team lead.

    Sign me up

    Red Hat legal and privacy links

    • About Red Hat
    • Jobs
    • Events
    • Locations
    • Contact Red Hat
    • Red Hat Blog
    • Inclusion at Red Hat
    • Cool Stuff Store
    • Red Hat Summit

    Red Hat legal and privacy links

    • Privacy statement
    • Terms of use
    • All policies and guidelines
    • Digital accessibility

    Report a website issue