Convert uv (Astral's ultra-fast Python package manager) project metadata (pyproject.toml + uv.lock) into Pipenv (Pipfile + Pipfile.lock) so tools (notably Veracode) that do not yet support uv projects can successfully perform dependency / SCA & static scans.
- Why does this exist?
- Features
- Installation
- Quick start
- CLI options
- Authenticated indices
- How it works
- Limitations
- Contributing
- FAQ
- Inspiration & Acknowledgements
- License
As of 2025, Veracode's Python ecosystem detection supports projects that use Poetry or Pipenv (and classic requirements.txt flows in some pipelines). The emerging uv workflow produces a uv.lock file which Veracode currently ignores, resulting in scans that:
- Fail to identify transitive dependencies
- Report missing package manager / manifest warnings
- Potentially under-report vulnerable packages
uv-burn acts as a compatibility bridge: it synthesizes a Pipfile + fully hashed Pipfile.lock from your existing pyproject.toml & uv.lock, preserving:
- Sources / custom indices (including auth via environment variables)
- Resolved versions and hashes
- Python version requirements
- Markers (incl. per‑package python_version constraints fetched from indexes when needed)
No re-resolution is attempted: the tool faithfully projects the lock state into the Pipenv schema.
NOTE: This project is not affiliated with Astral, Pipenv, or Veracode. It's a pragmatic helper until native
uvsupport lands in security tooling.
- Multi-
pyproject.tomldiscovery (monorepos) - Converts
uv.lock+ all discovered project dependency declarations into:PipfilePipfile.lock(hashes, markers, indices)
- Preserves custom package indices (adds default PyPI if missing)
- Fetches per-package
requires-pythonmarkers from indices to build accurate Pipenv markers - Deterministic hashing (matches Pipenv's lock hash approach for meta section)
- Async index fetch for performance
- Safe by default: refuses to overwrite unless
--force
Install from source (until published on PyPI):
pip install uv-burn
# From a local clone
pip install -e .Inside a repository that already contains at least one pyproject.toml and a uv.lock:
uv-burn .Outputs (by default in the provided root path):
PipfilePipfile.lock
uv-burn [ROOT_PATH] [--output PATH] [--force] [--verbose]
| Option | Description |
|---|---|
ROOT_PATH |
Root directory to scan (recursive) for pyproject.toml + uv.lock. |
-o, --output |
Directory to write Pipfile + Pipfile.lock (defaults to root). |
-f, --force |
Overwrite existing Pipfile artifacts if present. |
-v, --verbose |
Enable debug logging (rich formatted). |
uv-burn ./services/ --output ./pipenv-export/Environment variables are auto-detected per index name:
UV_INDEX_<INDEXNAME>_USERNAME
UV_INDEX_<INDEXNAME>_PASSWORD
Example for an index declared as name = "internal":
export UV_INDEX_INTERNAL_USERNAME=myuser
export UV_INDEX_INTERNAL_PASSWORD=secret
uv-burn .- Recursively finds all
pyproject.tomlfiles - Loads
uv.lock - Builds a combined source list (default PyPI + declared
tool.uv.indices) - Parses project dependencies (markers, extras, direct URLs / git)
- Computes
Pipfilemeta hash - For each external package in the lock:
- Gathers wheel / sdist hashes
- Enriches with
requires-python(queried from the index JSON Simple API) - Builds Pipenv marker string
- Writes
Pipfile+ JSONPipfile.lock
- Not meant for project conversion; keep using
uvfor development - Development dependencies currently not exported (section left empty)
- Does not re-resolve dependencies; assumes
uv.lockis authoritative - Only first discovered project's
requires-pythonused for Pipfilerequires(multi-root nuance) - Git / direct URL dependencies: basic handling; lock fidelity may vary if Pipenv's semantics differ
- Does not attempt environment marker normalization beyond Python version & those present in
uv.lock
Pull requests welcome! Suggested flow:
- Fork & create a feature branch
- Maintain style (ruff rules configured)
- Add / adapt tests (to be added as project matures)
- Open PR explaining motivation / behaviour change
uv syncRun lint:
ruff check .Run formatting:
ruff format .Q: Why not have Veracode just support uv?
We're waiting. This tool fills the interim gap.
Q: Is the produced Pipfile intended for ongoing dev use?
Primarily for scanning artifacts; you should keep uv as your development workflow.
Q: Are hashes trustworthy?
Hashes are taken from uv.lock entries (wheels / sdist) without modification.
Q: What about license compliance scans?
Those should work once dependencies are discoverable via the synthesized Pipfile.lock.
- Astral for
uv
MIT – see LICENSE file.