Skip to content

feat: add vulnerability audit workflow (PoC)#72

Open
albertotb wants to merge 6 commits intomainfrom
feature/vulnerability-audit-poc
Open

feat: add vulnerability audit workflow (PoC)#72
albertotb wants to merge 6 commits intomainfrom
feature/vulnerability-audit-poc

Conversation

@albertotb
Copy link
Copy Markdown
Member

@albertotb albertotb commented Mar 28, 2026
edited
Loading

Summary

  • Adds a GitHub Actions workflow that audits dependencies for known vulnerabilities
  • Includes three approaches for comparison:
    1. pip-audit (PyPA official) — exports uv.lock to requirements format and pipes it into pip-audit (no install needed)
    2. uv-secure — reads uv.lock directly, no install needed
    3. uv audit — native uv command (preview), reads uv.lock directly using the OSV database
  • Runs weekly on Mondays, on workflow_dispatch, and on PRs that change uv.lock or pyproject.toml

Test results

All three tools ran successfully and detected the same vulnerability:

pip-audit uv-secure uv audit
Runtime ~16s ~5s ~2s
uv.lock support Indirect (export step) Native Native
Maintainer PyPA (official) Community Astral (uv)
Notes Well-established Fast, supports severity filtering Requires --preview flag, may change before stable

Next steps

  • Decide which tool to keep (recommendation: uv-secure for simplicity)
  • Add to python-copier-template and roll out to all repos
  • Consider continue-on-error: true for scheduled runs to avoid noisy failures

@albertotb
feat: add vulnerability audit workflow (PoC)
41e1653 
Add a scheduled GitHub Actions workflow that audits dependencies for
known vulnerabilities. Includes two approaches for comparison:

1. pip-audit (PyPA official) - audits the installed environment
2. uv-secure - reads uv.lock directly, no install needed

Runs weekly on Mondays, on workflow_dispatch, and on PRs that change
uv.lock or pyproject.toml.
@albertotb
chore: add temporary push trigger for testing
360399e
@albertotb
chore: remove temporary push trigger
67b652e
@albertotb
feat: add uv audit --preview as third approach for comparison
f582793
@albertotb
chore: remove temporary push trigger
a57ff8a
@albertotb
refactor: use uv export pipe instead of uv sync for pip-audit
af84121 
Avoids installing the full environment by piping uv export directly
into pip-audit, making it faster and consistent with the other
no-install approaches.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@albertotb