Skip to main content

Phylum PyPI Registry

The Phylum PyPI registry is based on Python's Simple repository API.

Configuration

All configuration options will require a Phylum API key, since Phylum requires authentication. You can find out how to generate one in our API Keys documentation.

In the following examples, all API keys will be represented as <PHYLUM_API_KEY>, so make sure to replace them with your generated key.

Additionally, if the default policy is not sufficient, a group can be passed to evaluate all packages against the group's policy. To do this, just replace <PHYLUM_ORG> and <PHYLUM_GROUP> with the desired org and group name. The supplied API key must have access to this group.

If Phylum's default policy is sufficient, you can omit the username from the authentication details.

pip

The easiest way to install a package using the Phylum PyPI registry is using pip's --index-url option:

pip install --index-url https://<PHYLUM_ORG>%2F<PHYLUM_GROUP>:<PHYLUM_API_KEY>@pypi.phylum.io/simple/ <requirement specifier>

To make this permanent for all pip invocations, you can add it to the pip configuration:

pip config set global.index-url https://<PHYLUM_ORG>%2F<PHYLUM_GROUP>:<PHYLUM_API_KEY>@pypi.phylum.io/simple/

⚠️ WARNING ⚠️

Do not accidentally save your token into your shell history.

A blocked package will show up in pip output as missing:

ERROR: Could not find a version that satisfies the requirement <malicious> (from versions: none)
ERROR: No matching distribution found for <malicious>

If a version range is accepted by the manifest, the package manager will automatically attempt to use a version that passes Phylum's policy.

poetry

With Poetry, the source URL can be configured per-project in the pyproject.toml file by using the following commands from within the project directory:

poetry source add phylum https://pypi.phylum.io/simple/
poetry config http-basic.phylum "<PHYLUM_ORG>%2F<PHYLUM_GROUP>" "<PHYLUM_API_KEY>"

⚠️ WARNING ⚠️

Do not accidentally save your token into your shell history.

A blocked package will show up in poetry output as missing:

Could not find a matching version of package <malicious>

If a version range is accepted by the manifest, the package manager will automatically attempt to use a version that passes Phylum's policy.