现代Python开发指南：uv工具链、最佳实践与安全配置

modern-python by trailofbits/skills

1,300 周安装量

3,900 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/trailofbits/skills --skill modern-python

开发开发运维安全

🇨🇳中文介绍

现代 Python

基于 trailofbits/cookiecutter-python 的现代 Python 工具链和最佳实践指南。

何时使用此技能

创建新的 Python 项目或包
设置 pyproject.toml 配置
配置开发工具（代码检查、格式化、测试）
编写具有外部依赖的 Python 脚本
从旧版工具迁移（当用户提出请求时）

何时不应使用此技能

用户希望保留旧版工具链：如果明确要求，请尊重现有的工作流程
需要 Python < 3.11：这些工具面向现代 Python
非 Python 项目：Python 不是主要语言的混合代码库

应避免的反模式

避免使用	应使用
`[tool.ty]` python-version	`[tool.ty.environment]` python-version

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

工具	用途	替代
uv	包/依赖管理	pip, virtualenv, pip-tools, pipx, pyenv
ruff	代码检查和格式化	flake8, black, isort, pyupgrade, pydocstyle
ty	类型检查	mypy, pyright（更快的替代品）
pytest	带覆盖率的测试	unittest
prek	预提交钩子 (设置)	pre-commit（更快，Rust 原生）

工具	用途	何时运行
shellcheck	Shell 脚本检查	pre-commit
detect-secrets	密钥检测	pre-commit
actionlint	工作流语法验证	pre-commit, CI
zizmor	工作流安全审计	pre-commit, CI
pip-audit	依赖漏洞扫描	CI, 手动
Dependabot	自动化依赖更新	定时

快速开始：最小化项目

适用于不打算发布的简单多文件项目：

# 使用 uv 创建项目
uv init myproject
cd myproject

# 添加依赖
uv add requests rich

# 添加开发依赖
uv add --group dev pytest ruff ty

# 运行代码
uv run python src/myproject/main.py

# 运行工具
uv run pytest
uv run ruff check .

如果从零开始，询问用户是否更愿意使用 Trail of Bits 的 cookiecutter 模板来引导一个已预配置好工具的完整项目。

uvx cookiecutter gh:trailofbits/cookiecutter-python

1. 创建项目结构

uv init --package myproject
cd myproject

myproject/
├── pyproject.toml
├── README.md
├── src/
│   └── myproject/
│       └── __init__.py
└── .python-version

2. 配置 pyproject.toml

完整配置参考请见 pyproject.md。

[project]
name = "myproject"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = []

[dependency-groups]
dev = [{include-group = "lint"}, {include-group = "test"}, {include-group = "audit"}]
lint = ["ruff", "ty"]
test = ["pytest", "pytest-cov"]
audit = ["pip-audit"]

[tool.ruff]
line-length = 100
target-version = "py311"

[tool.ruff.lint]
select = ["ALL"]
ignore = ["D", "COM812", "ISC001"]

[tool.pytest]
addopts = ["--cov=myproject", "--cov-fail-under=80"]

[tool.ty.terminal]
error-on-warning = true

[tool.ty.environment]
python-version = "3.11"

[tool.ty.rules]
# 新项目从一开始就严格
possibly-unresolved-reference = "error"
unused-ignore-comment = "warn"

# 安装所有依赖组
uv sync --all-groups

# 或安装特定组
uv sync --group dev

.PHONY: dev lint format test build

dev:
	uv sync --all-groups

lint:
	uv run ruff format --check && uv run ruff check && uv run ty check src/

format:
	uv run ruff format .

test:
	uv run pytest

build:
	uv build

当用户请求从旧版工具迁移时：

从 requirements.txt + pip

首先，确定代码的性质：

对于独立脚本：转换为 PEP 723 内联元数据（见 pep723-scripts.md）

# 在现有项目中初始化 uv
uv init --bare

# 使用 uv 添加依赖（而不是通过编辑 pyproject.toml）
uv add requests rich  # 添加每个包

# 或者从 requirements.txt 导入（添加前请审查每个包）
# 注意：复杂的版本说明符可能需要手动处理
grep -v '^#' requirements.txt | grep -v '^-' | grep -v '^\s*$' | while read -r pkg; do
    uv add "$pkg" || echo "Failed to add: $pkg"
done

uv sync

删除 requirements.txt, requirements-dev.txt
删除虚拟环境 (venv/, .venv/)
将 uv.lock 添加到版本控制

从 setup.py / setup.cfg

运行 uv init --bare 创建 pyproject.toml
使用 uv add 从 install_requires 添加每个依赖
使用 uv add --group dev 添加开发依赖
将非依赖元数据（名称、版本、描述等）复制到 [project]
删除 setup.py, setup.cfg, MANIFEST.in

从 flake8 + black + isort

通过 uv remove 移除 flake8, black, isort
删除 .flake8, pyproject.toml [tool.black], [tool.isort] 配置
添加 ruff: uv add --group dev ruff
添加 ruff 配置（见 ruff-config.md）
运行 uv run ruff check --fix . 来应用修复
运行 uv run ruff format . 来格式化

通过 uv remove 移除 mypy/pyright
删除 mypy.ini, pyrightconfig.json, 或 [tool.mypy]/[tool.pyright] 部分
添加 ty: uv add --group dev ty
运行 uv run ty check src/

快速参考：uv 命令

命令	描述
`uv init`	创建新项目
`uv init --package`	创建可发布的包
`uv add <pkg>`	添加依赖
`uv add --group dev <pkg>`	添加到依赖组
`uv remove <pkg>`	移除依赖
`uv sync`	安装依赖
`uv sync --all-groups`	安装所有依赖组
`uv run <cmd>`	在虚拟环境中运行命令
`uv run --with <pkg> <cmd>`	使用临时依赖运行
`uv build`	构建包
`uv publish`	发布到 PyPI

使用 `--with` 进行临时依赖

使用 uv run --with 来运行需要项目中没有的包的一次性命令：

# 使用临时包运行 Python
uv run --with requests python -c "import requests; print(requests.get('https://httpbin.org/ip').json())"

# 使用临时依赖运行模块
uv run --with rich python -m rich.progress

# 多个包
uv run --with requests --with rich python script.py

# 与项目依赖结合使用（添加到现有虚拟环境）
uv run --with httpx pytest  # 项目依赖 + httpx

何时使用 --with 与 uv add：

uv add：包是项目依赖（进入 pyproject.toml/uv.lock）
--with：一次性使用、测试，或在项目上下文之外的脚本

完整参考请见 uv-commands.md。

快速参考：依赖组

[dependency-groups]
dev = ["ruff", "ty"]
test = ["pytest", "pytest-cov", "hypothesis"]
docs = ["sphinx", "myst-parser"]

使用以下命令安装：uv sync --group dev --group test

对包使用 src/ 布局
设置 requires-python = ">=3.11"
使用 select = ["ALL"] 和显式忽略项来配置 ruff
使用 ty 进行类型检查
强制执行最低测试覆盖率（80%+）
使用依赖组而不是 extras 来管理开发工具
将 uv.lock 添加到版本控制
对独立脚本使用 PEP 723

migration-checklist.md - 逐步迁移清理
pyproject.md - 完整的 pyproject.toml 参考
uv-commands.md - uv 命令参考
ruff-config.md - Ruff 代码检查/格式化配置
testing.md - pytest 和覆盖率设置
pep723-scripts.md - PEP 723 内联脚本元数据
prek.md - 使用 prek 的快速预提交钩子
security-setup.md - 安全钩子和依赖扫描
dependabot.md - 自动化依赖更新

🇺🇸English

Modern Python

Guide for modern Python tooling and best practices, based on trailofbits/cookiecutter-python.

When to Use This Skill

Creating a new Python project or package
Setting up pyproject.toml configuration
Configuring development tools (linting, formatting, testing)
Writing Python scripts with external dependencies
Migrating from legacy tools (when user requests it)

When NOT to Use This Skill

User wants to keep legacy tooling : Respect existing workflows if explicitly requested
Python < 3.11 required: These tools target modern Python
Non-Python projects : Mixed codebases where Python isn't primary

Anti-Patterns to Avoid

Avoid	Use Instead
`[tool.ty]` python-version	`[tool.ty.environment]` python-version
`uv pip install`	`uv add` and `uv sync`
Editing pyproject.toml manually to add deps	`uv add <pkg>` / `uv remove <pkg>`
`hatchling` build backend	`uv_build` (simpler, sufficient for most cases)
Poetry	uv (faster, simpler, better ecosystem integration)
requirements.txt	PEP 723 for scripts, pyproject.toml for projects
mypy / pyright	ty (faster, from Astral team)
`[project.optional-dependencies]` for dev tools	`[dependency-groups]` (PEP 735)
Manual virtualenv activation (`source .venv/bin/activate`)	`uv run <cmd>`
pre-commit	prek (faster, no Python runtime needed)

Key principles:

Always use uv add and uv remove to manage dependencies
Never manually activate or manage virtual environments—use uv run for all commands
Use [dependency-groups] for dev/test/docs dependencies, not [project.optional-dependencies]

Decision Tree

What are you doing?
│
├─ Single-file script with dependencies?
│   └─ Use PEP 723 inline metadata (./references/pep723-scripts.md)
│
├─ New multi-file project (not distributed)?
│   └─ Minimal uv setup (see Quick Start below)
│
├─ New reusable package/library?
│   └─ Full project setup (see Full Setup below)
│
└─ Migrating existing project?
    └─ See Migration Guide below

Tool Overview

Tool	Purpose	Replaces
uv	Package/dependency management	pip, virtualenv, pip-tools, pipx, pyenv
ruff	Linting AND formatting	flake8, black, isort, pyupgrade, pydocstyle
ty	Type checking	mypy, pyright (faster alternative)
pytest	Testing with coverage	unittest
prek	Pre-commit hooks (setup)	pre-commit (faster, Rust-native)

Security Tools

Tool	Purpose	When It Runs
shellcheck	Shell script linting	pre-commit
detect-secrets	Secret detection	pre-commit
actionlint	Workflow syntax validation	pre-commit, CI
zizmor	Workflow security audit	pre-commit, CI
pip-audit	Dependency vulnerability scanning	CI, manual
Dependabot	Automated dependency updates	scheduled

See security-setup.md for configuration and usage.

Quick Start: Minimal Project

For simple multi-file projects not intended for distribution:

# Create project with uv
uv init myproject
cd myproject

# Add dependencies
uv add requests rich

# Add dev dependencies
uv add --group dev pytest ruff ty

# Run code
uv run python src/myproject/main.py

# Run tools
uv run pytest
uv run ruff check .

Full Project Setup

If starting from scratch, ask the user if they prefer to use the Trail of Bits cookiecutter template to bootstrap a complete project with already preconfigured tooling.

uvx cookiecutter gh:trailofbits/cookiecutter-python

1. Create Project Structure

uv init --package myproject
cd myproject

This creates:

myproject/
├── pyproject.toml
├── README.md
├── src/
│   └── myproject/
│       └── __init__.py
└── .python-version

2. Configure pyproject.toml

See pyproject.md for complete configuration reference.

Key sections:

[project]
name = "myproject"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = []

[dependency-groups]
dev = [{include-group = "lint"}, {include-group = "test"}, {include-group = "audit"}]
lint = ["ruff", "ty"]
test = ["pytest", "pytest-cov"]
audit = ["pip-audit"]

[tool.ruff]
line-length = 100
target-version = "py311"

[tool.ruff.lint]
select = ["ALL"]
ignore = ["D", "COM812", "ISC001"]

[tool.pytest]
addopts = ["--cov=myproject", "--cov-fail-under=80"]

[tool.ty.terminal]
error-on-warning = true

[tool.ty.environment]
python-version = "3.11"

[tool.ty.rules]
# Strict from day 1 for new projects
possibly-unresolved-reference = "error"
unused-ignore-comment = "warn"

3. Install Dependencies

# Install all dependency groups
uv sync --all-groups

# Or install specific groups
uv sync --group dev

4. Add Makefile

.PHONY: dev lint format test build

dev:
	uv sync --all-groups

lint:
	uv run ruff format --check && uv run ruff check && uv run ty check src/

format:
	uv run ruff format .

test:
	uv run pytest

build:
	uv build

Migration Guide

When a user requests migration from legacy tooling:

From requirements.txt + pip

First, determine the nature of the code:

For standalone scripts : Convert to PEP 723 inline metadata (see pep723-scripts.md)

For projects :

# Initialize uv in existing project
uv init --bare

# Add dependencies using uv (not by editing pyproject.toml)
uv add requests rich  # add each package

# Or import from requirements.txt (review each package before adding)
# Note: Complex version specifiers may need manual handling
grep -v '^#' requirements.txt | grep -v '^-' | grep -v '^\s*$' | while read -r pkg; do
    uv add "$pkg" || echo "Failed to add: $pkg"
done

uv sync

Then:

Delete requirements.txt, requirements-dev.txt
Delete virtual environment (venv/, .venv/)
Add uv.lock to version control

From setup.py / setup.cfg

Run uv init --bare to create pyproject.toml
Use uv add to add each dependency from install_requires
Use uv add --group dev for dev dependencies
Copy non-dependency metadata (name, version, description, etc.) to [project]
Delete setup.py, setup.cfg, MANIFEST.in

From flake8 + black + isort

Remove flake8, black, isort via uv remove
Delete .flake8, pyproject.toml [tool.black], [tool.isort] configs
Add ruff: uv add --group dev ruff
Add ruff configuration (see ruff-config.md)
Run uv run ruff check --fix . to apply fixes
Run uv run ruff format . to format

From mypy / pyright

Remove mypy/pyright via uv remove
Delete mypy.ini, pyrightconfig.json, or [tool.mypy]/[tool.pyright] sections
Add ty: uv add --group dev ty
Run uv run ty check src/

Quick Reference: uv Commands

Command	Description
`uv init`	Create new project
`uv init --package`	Create distributable package
`uv add <pkg>`	Add dependency
`uv add --group dev <pkg>`	Add to dependency group
`uv remove <pkg>`	Remove dependency
`uv sync`	Install dependencies

Ad-hoc Dependencies with `--with`

Use uv run --with for one-off commands that need packages not in your project:

# Run Python with a temporary package
uv run --with requests python -c "import requests; print(requests.get('https://httpbin.org/ip').json())"

# Run a module with temporary deps
uv run --with rich python -m rich.progress

# Multiple packages
uv run --with requests --with rich python script.py

# Combine with project deps (adds to existing venv)
uv run --with httpx pytest  # project deps + httpx

When to use--with vs uv add:

uv add: Package is a project dependency (goes in pyproject.toml/uv.lock)
--with: One-off usage, testing, or scripts outside a project context

See uv-commands.md for complete reference.

Quick Reference: Dependency Groups

[dependency-groups]
dev = ["ruff", "ty"]
test = ["pytest", "pytest-cov", "hypothesis"]
docs = ["sphinx", "myst-parser"]

Install with: uv sync --group dev --group test

Best Practices Checklist

Use src/ layout for packages
Set requires-python = ">=3.11"
Configure ruff with select = ["ALL"] and explicit ignores
Use ty for type checking
Enforce test coverage minimum (80%+)
Use dependency groups instead of extras for dev tools
Add uv.lock to version control
Use PEP 723 for standalone scripts