Exporting a lockfile

fyn can export a lockfile to different formats for integration with other tools and workflows. The fyn export command supports multiple output formats, each suited to different use cases.

For more details on lockfiles and how they're created, see the project layout and locking and syncing documentation.

Overview of export formats

fyn supports three export formats:

• requirements.txt: The traditional pip-compatible requirements file format.
• pylock.toml: The standardized Python lockfile format defined in PEP 751.
• CycloneDX: An industry-standard Software Bill of Materials (SBOM) format.

The format can be specified with the --format flag:

$ fyn export --format requirements.txt
$ fyn export --format pylock.toml
$ fyn export --format cyclonedx1.5

Tip

By default, fyn export prints to stdout. Use --output-file to write to a file for any format:

$ fyn export --format requirements.txt --output-file requirements.txt
$ fyn export --format pylock.toml --output-file pylock.toml
$ fyn export --format cyclonedx1.5 --output-file sbom.json

requirements.txt format

The requirements.txt format is the most widely supported format for Python dependencies. It can be used with pip and other Python package managers.

Basic usage

$ fyn export --format requirements.txt

The generated requirements.txt file can then be installed via fyn pip install, or with other tools like pip.

Note

In general, we recommend against using both a fyn.lock and a requirements.txt file. The fyn.lock format is more powerful and includes features that cannot be expressed in requirements.txt. If you find yourself exporting a fyn.lock file, consider opening an issue to discuss your use case.

pylock.toml format

PEP 751 defines a TOML-based lockfile format for Python dependencies. fyn can export your project's dependency lockfile to this format.

Basic usage

$ fyn export --format pylock.toml

CycloneDX SBOM format

fyn can export your project's dependency lockfile as a Software Bill of Materials (SBOM) in CycloneDX format. SBOMs provide a comprehensive inventory of all software components in your application, which is useful for security auditing, compliance, and supply chain transparency.

Important

Support for exporting to CycloneDX is in preview, and may change in any future release.

What is CycloneDX?

CycloneDX is an industry-standard format for creating Software Bill of Materials. CycloneDX is machine readable and widely supported by security scanning tools, vulnerability databases, and Software Composition Analysis (SCA) platforms.

Basic usage

To export your project's lockfile as a CycloneDX SBOM:

$ fyn export --format cyclonedx1.5

This will generate a JSON-encoded CycloneDX v1.5 document containing your project and all of its dependencies.

SBOM Structure

The generated SBOM follows the CycloneDX specification. fyn also includes the following custom properties on components:

• fyn:package:marker: Environment markers (e.g., python_version >= "3.8")
• fyn:workspace:path: Relative path for workspace members

Next steps

To learn more about lockfiles and exporting, see the locking and syncing documentation and the command reference.

Or, read on to learn how to build and publish your project to a package index.