Feature request - pre-build / pre-read hook for security scanning

[f3flight]

Hi UV devs! Is it possible to make uv call some external tool before it attempts to build a package from source? Essentially, I'm looking for a way to pass all artifacts that UV fetches from certain external indexes through a security scanner before they are passed to unzip and more importantly, to python for execution (in case of sdists). Is that possible? If not, would it be possible to add such a feature? I was not able to find much on hooks available in uv right now.

[samypr100]

Curious, does this currently exists in pip? If so, how does it work?

[f3flight]

@samypr100 no, pip doesn't have such a feature. Nearest would be "pip download --only-binary :all:" + scanning the downloaded files. In our org we have made some patches to pip so I know where it handles download and file saving, also since pip is python it was easy for me to patch; But we seek to improve performance, and I'm looking at uv now. I would, however, like to avoid maintaining a custom uv fork, if possible, right now my rust skills are zero.

[samypr100]

Interesting. Closest might be something like discussed in #3400, althought albeit trickier due to the streaming nature since in your case you'd want to fully download first, "scan", and then extract, etc. which is afaik not how uv works under the hood even without the scan step.

From uv's perspective it might be better to rely on #3163 in the mean time once there's a suitable design / implementation (e.g. like #3163 (comment)).