step-security · swarit-stepsecurity · Jun 28, 2026 · Jun 28, 2026 · Jun 29, 2026
diff --git a/cmd/stepsecurity-dev-machine-guard/main.go b/cmd/stepsecurity-dev-machine-guard/main.go
@@ -98,6 +98,11 @@ func main() {
 	if cfg.EnablePythonScan == nil && config.EnablePythonScan != nil {
 		cfg.EnablePythonScan = config.EnablePythonScan
 	}
+	// --legacy-python-scan / --disk-python-scan override the config-file value
+	// (which config.Load already applied to config.UseLegacyPythonScan).
+	if cfg.UseLegacyPythonScan != nil {
+		config.UseLegacyPythonScan = *cfg.UseLegacyPythonScan
+	}
 	if cfg.IncludeTCCProtected == nil && config.IncludeTCCProtected != nil {
 		cfg.IncludeTCCProtected = config.IncludeTCCProtected
 	}

diff --git a/internal/cli/cli.go b/internal/cli/cli.go
@@ -29,6 +29,7 @@ type Config struct {
 	EnableNPMScan         *bool  // nil=auto, true/false=explicit
 	EnableBrewScan        *bool  // nil=auto, true/false=explicit
 	EnablePythonScan      *bool  // nil=auto, true/false=explicit
+	UseLegacyPythonScan   *bool  // nil=auto (disk scan); true=pip path, false=disk path
 	IncludeBundledPlugins bool   // --include-bundled-plugins: include bundled/platform plugins in output
 	// IncludeTCCProtected is tristate: nil or false = skip the macOS
 	// TCC-protected dirs (Documents, Downloads, ~/Library/Mail, ...)
@@ -182,6 +183,12 @@ func Parse(args []string) (*Config, error) {
 		case arg == "--disable-python-scan":
 			v := false
 			cfg.EnablePythonScan = &v
+		case arg == "--legacy-python-scan":
+			v := true
+			cfg.UseLegacyPythonScan = &v
+		case arg == "--disk-python-scan":
+			v := false
+			cfg.UseLegacyPythonScan = &v
 		case arg == "--include-bundled-plugins":
 			cfg.IncludeBundledPlugins = true
 		case arg == "--include-tcc-protected":

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -34,6 +34,14 @@ var (
 	// STEPSEC_ENABLE_SCAN_STATE=1) to opt back in. STEPSEC_DISABLE_SCAN_STATE=1
 	// always forces legacy.
 	UseLegacyPackageScan = true
+
+	// UseLegacyPythonScan, when true, reverts Python package discovery to the
+	// command-based path (`pip list` per venv and `pip3`/`conda`/`uv list`
+	// for globals). Defaults to false: Python packages are read from on-disk
+	// install metadata (*.dist-info/METADATA, *.egg-info/PKG-INFO) with no
+	// package-manager subprocess. Set use_legacy_python_scan=true in
+	// config.json (or --legacy-python-scan) to opt back into the pip path.
+	UseLegacyPythonScan = false
 )
 
 // MaxExecutionDuration is the whole-process execution-watchdog limit
@@ -64,6 +72,7 @@ type ConfigFile struct {
 	InstallDir           string   `json:"install_dir,omitempty"`
 	MaxExecutionDuration string   `json:"max_execution_duration,omitempty"`
 	UseLegacyPackageScan *bool    `json:"use_legacy_package_scan,omitempty"`
+	UseLegacyPythonScan  *bool    `json:"use_legacy_python_scan,omitempty"`
 }
 
 // userConfigDir returns ~/.stepsecurity — the per-user config location.
@@ -199,6 +208,9 @@ func Load() {
 	if cfg.UseLegacyPackageScan != nil {
 		UseLegacyPackageScan = *cfg.UseLegacyPackageScan
 	}
+	if cfg.UseLegacyPythonScan != nil {
+		UseLegacyPythonScan = *cfg.UseLegacyPythonScan
+	}
 }
 
 // IsEnterpriseMode returns true if valid enterprise credentials are configured.
@@ -515,6 +527,7 @@ func ShowConfigure() {
 	fmt.Printf("  %-24s %s\n", "Enable NPM Scan:", displayBoolScan(cfg.EnableNPMScan))
 	fmt.Printf("  %-24s %s\n", "Enable Brew Scan:", displayBoolScan(cfg.EnableBrewScan))
 	fmt.Printf("  %-24s %s\n", "Enable Python Scan:", displayBoolScan(cfg.EnablePythonScan))
+	fmt.Printf("  %-24s %s\n", "Legacy Python Scan:", displayBoolScan(cfg.UseLegacyPythonScan))
 	fmt.Printf("  %-24s %s\n", "Scan TCC-Protected Dirs:", displayTCC(cfg.IncludeTCCProtected))
 	fmt.Printf("  %-24s %s\n", "Color Mode:", displayColorMode(cfg.ColorMode))
 	fmt.Printf("  %-24s %s\n", "Output Format:", displayOutputFormat(cfg.OutputFormat))