trailofbits/modern-python

Modern Python

Guide for modern Python tooling and best practices, based on trailofbits/cookiecutter-python.

When to Use This Skill

• Creating a new Python project or package
• Setting up pyproject.toml configuration
• Configuring development tools (linting, formatting, testing)
• Writing Python scripts with external dependencies
• Migrating from legacy tools (when user requests it)

When NOT to Use This Skill

• User wants to keep legacy tooling: Respect existing workflows if explicitly requested
• Python < 3.11 required: These tools target modern Python
• Non-Python projects: Mixed codebases where Python isn't primary

Anti-Patterns to Avoid

| Avoid | Use Instead | |-------|-------------| | [tool.ty] python-version | [tool.ty.environment] python-version | | uv pip install | uv add and uv sync | | Editing pyproject.toml manually to add deps | uv add <pkg> / uv remove <pkg> | | hatchling build backend | uv_build (simpler, sufficient for most cases) | | Poetry | uv (faster, simpler, better ecosystem integration) | | requirements.txt | PEP 723 for scripts, pyproject.toml for projects | | mypy / pyright | ty (faster, from Astral team) | | [project.optional-dependencies] for dev tools | [dependency-groups] (PEP 735) | | Manual virtualenv activation (source .venv/bin/activate) | uv run <cmd> | | pre-commit | prek (faster, no Python runtime needed) |

Key principles:

• Always use uv add and uv remove to manage dependencies
• Never manually activate or manage virtual environments—use uv run for all commands
• Use [dependency-groups] for dev/test/docs dependencies, not [project.optional-dependencies]

Decision Tree

What are you doing?
│
├─ Single-file script with dependencies?
│   └─ Use PEP 723 inline metadata (./references/pep723-scripts.md)
│
├─ New multi-file project (not distributed)?
│   └─ Minimal uv setup (see Quick Start below)
│
├─ New reusable package/library?
│   └─ Full project setup (see Full Setup below)
│
└─ Migrating existing project?
    └─ See Migration Guide below

Tool Overview

| Tool | Purpose | Replaces | |------|---------|----------| | uv | Package/dependency management | pip, virtualenv, pip-tools, pipx, pyenv | | ruff | Linting AND formatting | flake8, black, isort, pyupgrade, pydocstyle | | ty | Type checking | mypy, pyright (faster alternative) | | pytest | Testing with coverage | unittest | | prek | Pre-commit hooks (setup) | pre-commit (faster, Rust-native) |

Security Tools

| Tool | Purpose | When It Runs | |------|---------|--------------| | shellcheck | Shell script linting | pre-commit | | detect-secrets | Secret detection | pre-commit | | actionlint | Workflow syntax validation | pre-commit, CI | | zizmor | Workflow security audit | pre-commit, CI | | pip-audit | Dependency vulnerability scanning | CI, manual | | Dependabot | Automated dependency updates | scheduled |

See security-setup.md for configuration and usage.

Quick Start: Minimal Project

For simple multi-file projects not intended for distribution:

# Create project with uv
uv init myproject
cd myproject

# Add dependencies
uv add requests rich

# Add dev dependencies
uv add --group dev pytest ruff ty

# Run code
uv run python src/myproject/main.py

# Run tools
uv run pytest
uv run ruff check .

Full Project Setup

If starting from scratch, ask the user if they prefer to use the Trail of Bits cookiecutter template to bootstrap a complete project with already preconfigured tooling.

uvx cookiecutter gh:trailofbits/cookiecutter-python

1. Create Project Structure

uv init --package myproject
cd myproject

This creates:

myproject/
├── pyproject.toml
├── README.md
├── src/
│   └── myproject/
│       └── __init__.py
└── .python-version

2. Configure pyproject.toml

See pyproject.md for complete configuration reference.

Key sections:

[project]
name = "myproject"
version = "0.1.0"
requires-python = ">=3.11"
dependencies = []

[dependency-groups]
dev = [{include-group = "lint"}, {include-group = "test"}, {include-group = "audit"}]
lint = ["ruff", "ty"]
test = ["pytest", "pytest-cov"]
audit = ["pip-audit"]

[tool.ruff]
line-length = 100
target-version = "py311"

[tool.ruff.lint]
select = ["ALL"]
ignore = ["D", "COM812", "ISC001"]

[tool.pytest]
addopts = ["--cov=myproject", "--cov-fail-under=80"]

[tool.ty.terminal]
error-on-warning = true

[tool.ty.environment]
python-version = "3.11"

[tool.ty.rules]
# Strict from day 1 for new projects
possibly-unresolved-reference = "error"
unused-ignore-comment = "warn"

3. Install Dependencies

# Install all dependency groups
uv sync --all-groups

# Or install specific groups
uv sync --group dev

4. Add Makefile

.PHONY: dev lint format test build

dev:
	uv sync --all-groups

lint:
	uv run ruff format --check && uv run ruff check && uv run ty check src/

format:
	uv run ruff format .

test:
	uv run pytest

build:
	uv build

Migration Guide

When a user requests migration from legacy tooling:

From requirements.txt + pip

First, determine the nature of the code:

For standalone scripts: Convert to PEP 723 inline metadata (see pep723-scripts.md)

For projects:

# Initialize uv in existing project
uv init --bare

# Add dependencies using uv (not by editing pyproject.toml)
uv add requests rich  # add each package

# Or import from requirements.txt (review each package before adding)
# Note: Complex version specifiers may need manual handling
grep -v '^#' requirements.txt | grep -v '^-' | grep -v '^\s*$' | while read -r pkg; do
    uv add "$pkg" || echo "Failed to add: $pkg"
done

uv sync

Then:

1. Delete requirements.txt, requirements-dev.txt
2. Delete virtual environment (venv/, .venv/)
3. Add uv.lock to version control

From setup.py / setup.cfg

1. Run uv init --bare to create pyproject.toml
2. Use uv add to add each dependency from install_requires
3. Use uv add --group dev for dev dependencies
4. Copy non-dependency metadata (name, version, description, etc.) to [project]
5. Delete setup.py, setup.cfg, MANIFEST.in

From flake8 + black + isort

1. Remove flake8, black, isort via uv remove
2. Delete .flake8, pyproject.toml [tool.black], [tool.isort] configs
3. Add ruff: uv add --group dev ruff
4. Add ruff configuration (see ruff-config.md)
5. Run uv run ruff check --fix . to apply fixes
6. Run uv run ruff format . to format

From mypy / pyright

1. Remove mypy/pyright via uv remove
2. Delete mypy.ini, pyrightconfig.json, or [tool.mypy]/[tool.pyright] sections
3. Add ty: uv add --group dev ty
4. Run uv run ty check src/

Quick Reference: uv Commands

| Command | Description | |---------|-------------| | uv init | Create new project | | uv init --package | Create distributable package | | uv add <pkg> | Add dependency | | uv add --group dev <pkg> | Add to dependency group | | uv remove <pkg> | Remove dependency | | uv sync | Install dependencies | | uv sync --all-groups | Install all dependency groups | | uv run <cmd> | Run command in venv | | uv run --with <pkg> <cmd> | Run with temporary dependency | | uv build | Build package | | uv publish | Publish to PyPI |

Ad-hoc Dependencies with --with

Use uv run --with for one-off commands that need packages not in your project:

# Run Python with a temporary package
uv run --with requests python -c "import requests; print(requests.get('https://httpbin.org/ip').json())"

# Run a module with temporary deps
uv run --with rich python -m rich.progress

# Multiple packages
uv run --with requests --with rich python script.py

# Combine with project deps (adds to existing venv)
uv run --with httpx pytest  # project deps + httpx

When to use --with vs uv add:

• uv add: Package is a project dependency (goes in pyproject.toml/uv.lock)
• --with: One-off usage, testing, or scripts outside a project context

See uv-commands.md for complete reference.

Quick Reference: Dependency Groups

[dependency-groups]
dev = ["ruff", "ty"]
test = ["pytest", "pytest-cov", "hypothesis"]
docs = ["sphinx", "myst-parser"]

Install with: uv sync --group dev --group test

Best Practices Checklist

• [ ] Use src/ layout for packages
• [ ] Set requires-python = ">=3.11"
• [ ] Configure ruff with select = ["ALL"] and explicit ignores
• [ ] Use ty for type checking
• [ ] Enforce test coverage minimum (80%+)
• [ ] Use dependency groups instead of extras for dev tools
• [ ] Add uv.lock to version control
• [ ] Use PEP 723 for standalone scripts

Read Next

• migration-checklist.md - Step-by-step migration cleanup
• pyproject.md - Complete pyproject.toml reference
• uv-commands.md - uv command reference
• ruff-config.md - Ruff linting/formatting configuration
• testing.md - pytest and coverage setup
• pep723-scripts.md - PEP 723 inline script metadata
• prek.md - Fast pre-commit hooks with prek
• security-setup.md - Security hooks and dependency scanning
• dependabot.md - Automated dependency updates