# SCM integration support for Python {% hint style="warning" %} Python packages that are operating system-specific and not supported by Linux may not be compatible with Snyk SCM scans, leading to errors. {% endhint %} To scan your Projects, you must ensure your repository contains the supported manifest files. ## Set the Python version in SCM Projects When scanning Pip Projects imported from an SCM integration, Snyk uses the version of Python specified in Organization settings or `.snyk` files. {% hint style="info" %} It is important to specify the correct Python version for your Organization, as it can affect the version of dependencies used in scanning your Projects. {% endhint %} Snyk uses a recent `patch` version for each of the supported `minor` version. By default, Snyk tests Pip Projects using Python 3.7. {% hint style="warning" %} The behavior of imports, re-tests, and PR checks for Projects with dependencies requiring a higher version of Python varies according to the version specified: * Python 3.8 or above: scans will fail with an [error](https://docs.snyk.io/scan-with-snyk/error-catalog) message that includes details of the first failed package, the Python version it requires, and the Python version used. * Python 2.7 or 3.7: scans will succeed, but the incompatible dependencies are omitted from the results. {% endhint %} To define which Python minor version Snyk uses to test your Pip Projects imported using SCM integrations, you can use Organization settings and [`.snyk` policy file](https://docs.snyk.io/manage-risk/policies/the-.snyk-file). To define the Python version for all Projects in an Organization: 1. Log in to your Snyk account and navigate to the relevant Group and Organization. 2. Select **Settings** > **Snyk Open Source**. 3. Select **Edit settings** for **Python**. 4. From the **Python version** dropdown, select the Python version to use when testing Projects for this Organization.
Pip Python version settings

Pip Python version settings

If you need a Project in an Organization to use a different Python version, you can add a `.snyk` file to the Project repository and specify the desired version. ```python language-settings: python: '3.10' ``` The `.snyk` file must be in the same directory as the Project manifest file. Snyk will select which Python version to use according to the `major`, `minor` and `patch` versions specified in the `.snyk` file. * `Major` version only (for example, 2 or 3): scanned with default `minor` versions - 2.7 or 3.7 * `Major` and `minor` version (for example, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14): scanned with 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, or 3.14 * `Major`, `minor` and `patch` version (or example, 3.8.x, 3.9.x, 3.10.x, 3.11.x, 3.12.x, 3.13.x): the specific `patch` version is ignored, the Project is scanned with default versions of 3.8, 3.9, 3.10, 3.11, 3.12, 3.13 or 3.14 * Any versions specified with an unsupported `minor` version: defaults to 2.7 or 3.7 ## SCM repositories and Pip The following dependencies are not supported and are removed before the file is scanned. The remaining dependencies are included in the scan. * Private PyPI repos * `file://`, regular URLs, relative paths, and more generally URIs in `requirements.txt` files * Setting a different package index with `--index-url`, `-i`, `--extra-index-url` * Specifying dependency archive locations with `--find-links`, `-f` * Installing a dependency in editable mode with `--editable`, `-e` * Relying on a version constraints file with `--constraint`, `-c` * Including another requirement file with `--requirement`, `-r` * Specific packages: `virtualenv` and `pip` for Python 2.7 and 3.7 To scan Pip Projects, Snyk analyzes your `requirements.txt` files using native `pip` tooling in an isolated Linux environment. Pip Projects scanned using the SCM integration will be given the same name as the directory where they are located. Snyk imports any file that follows the `**/*req*.txt` pattern. This can help if you have renamed the `requirements.txt` files, for example, to `requirements-dev.txt`. Snyk also looks for files using the `**/requirements/*.txt` pattern. This can help if you have placed your files in a `requirements` folder, for example, `requirements/requirements.txt`. If you are using a package manager that creates different manifest file formats from `requirements.txt`, then you may be able to convert or export the manifest file to the `requirements.txt` format. An example follows of how `dephell` is used to convert from Conda `environments.yml` to a `requirements.txt`. ```python dephell deps convert --from=conda --to=requirements.txt ``` ## SCM repositories and Poetry Poetry v1 and v2 are supported. To scan Poetry Projects, Snyk inspects your `pyproject.toml` and `poetry.lock` files. You can choose whether Snyk should include [dev dependencies](https://python-poetry.org/docs/managing-dependencies/) when scanning your Poetry Projects. Snyk regards non-dev dependencies to be those declared in `tool.poetry.dependencies`, the implicit `main` group. All others are classed as dev dependencies. Poetry dev dependencies are not included in scans by default. To change this, modify your settings as follows: 1. Log in to your Snyk account and navigate to the relevant Group and Organization. 2. Select **Settings** > **Languages**. 3. Select **Edit settings** for **Python**. 4. Enable or disable the **Scan Poetry dev dependencies** option under the **Poetry dev dependencies** settings.
Poetry dev dependency settings

Poetry dev dependency settings

A known limitation for Poetry is mixed `include` entries in `pyproject.toml` Poetry scans fail with an unparsable manifest / unable to parse `pyproject.toml` if mixed `include` entries are defined in `pyproject.toml` Under `[tool.poetry]`, Poetry allows `include` to mix plain path strings and `{ path = "...", format = [...] }` inline tables in one array. That is valid TOML 1.0 and a valid Poetry configuration. Snyk’s Poetry analysis parses `pyproject.toml` with a TOML implementation that does not accept mixed-type inline arrays. Parsing stops at that array, so the file is treated as invalid before dependency logic runs. Example of a failing configuration: ``` include = [ "py.typed", { path = "src/my_package/templates/**/*", format = ["sdist", "wheel"] }, ] ``` To fix this issue, use only one shape for every entry. For example, use only inline tables: ``` include = [ { path = "py.typed" }, { path = "src/my_package/templates/**/*", format = ["sdist", "wheel"] }, ] ``` ## SCM repositories and Pipenv {% hint style="warning" %} Private PyPI mirrors are not supported. `Pipfiles` specifying a private mirror as their only source will not be imported. {% endhint %} To scan Pipenv Projects, Snyk analyzes your `Pipfile` and `Pipfile.lock` files using native `pipenv` tooling in an isolated Linux environment. {% hint style="info" %} Packages from private repositories and those with non-Linux OS requirements may be unresolvable and omitted from the dependency tree. If a `Pipfile.lock` is present, any unresolved packages it contains are added to the top level of the dependency tree using versions from the lock file. {% endhint %} You can choose whether Snyk should include dependencies specified in `[dev-packages]` when scanning your Pipenv Projects. Pipenv dev dependencies are not included in scans by default. To change this, modify your settings as follows: 1. Log in to your Snyk account and navigate to the relevant Group and Organization. 2. Select **Settings** > **Languages**. 3. Select **Edit settings** for **Python**. 4. Enable or disable the **Scan Pipenv dev dependencies** option under the **Pipenv** settings.
Pipenv dev dependency settings

Pipenv dev dependency settings