Skip to content

[PREVIEW] ci: add pip-audit known-CVE scan job (Task A.3)#6

Closed
BW-Projects wants to merge 2 commits into
developfrom
feature_ci_pip_audit
Closed

[PREVIEW] ci: add pip-audit known-CVE scan job (Task A.3)#6
BW-Projects wants to merge 2 commits into
developfrom
feature_ci_pip_audit

Conversation

@BW-Projects
Copy link
Copy Markdown
Owner

@BW-Projects BW-Projects commented May 28, 2026
edited
Loading

Follow-up to the ruff (JuergenFleiss#160) and bandit (JuergenFleiss#167) CI PRs. Adds pip-audit
as its own independent CI job — separate, individual job, doesn't depend
on the bandit PR.

Contributes to JuergenFleiss#158 (Task A — CI lint/format/security).

What this PR does

  • Adds pip-audit>=2.10.0 to [dependency-groups] dev.
  • Adds a pip-audit CI job that scans the locked dependency graph
    against the PyPI advisory DB.

Design decision: light (export) vs faithful (installed env)

Two ways to run pip-audit in CI:

  1. Light (chosen) — export the locked graph to a requirements file,
    drop the entries PyPI can't audit anyway (the git aTrain_core dep
    and the +cuXXX torch builds from the PyTorch index), then
    pip-audit -r … --no-deps. No app runtime built, so the job stays
    fast and consistent with ruff/bandit (no GTK/torch/pycairo build on
    the runner). Still audits everything advisory-tracked: nicegui,
    werkzeug, starlette, idna, …
  2. Faithfuluv sync --locked (needs system libs for
    pywebview[GTK] → pycairo) and audit the installed environment.
    Audits exactly what ships, no filtering, but is heavier (multi-minute
    torch build) and needs an apt step.

Went with (1) since the skipped entries aren't on PyPI and so have no
advisory coverage there regardless. Happy to switch to (2) if you prefer
auditing the installed tree — flagging it for your call.

continue-on-error initially

nicegui 2.21.1 and werkzeug 3.0.3 carry known CVEs pending the
coordinated upgrade in JuergenFleiss#159, so the step runs continue-on-error: true
for now — findings print on every run (visible), but don't block.
Flip to gating once JuergenFleiss#159 lands.

Maps to BSI IT-Grundschutz

  • CON.8 §3.2.4 (integrity check of external components / no outdated,
    known-vulnerable versions) — pip-audit operationalises the
    known-CVE half on every run.

build: add pip-audit dev dependency
ea7387d 
Adds `pip-audit>=2.10.0` to the dev dependency group for the
known-CVE scan CI job.
@BW-Projects BW-Projects force-pushed the feature_ci_pip_audit branch from 05b4346 to d88bdfd Compare May 28, 2026 06:12
ci: add pip-audit known-CVE scan job
366a780 
Adds a `pip-audit` job that scans the locked dependency graph against
the PyPI advisory database.

Approach: export the lock as a PEP 751 `pylock.toml`
(`uv export --format pylock.toml`) and audit it with
`pip-audit <dir> --locked`. pip-audit checks each pinned package
against the advisory DB and self-documents anything it can't audit —
the git `aTrain_core` dependency and the `+cuXXX` torch builds from the
PyTorch index — in a "Skip Reason" table. No app runtime is built
(consistent with the ruff/bandit jobs) and no manual requirements
filtering is needed; the skips are explicit and auditable.

`continue-on-error: true` initially: nicegui 2.21.1 and werkzeug 3.0.3
carry known CVEs pending the coordinated upgrade in JuergenFleiss#159. Findings
print on every run; flip the step to gating once JuergenFleiss#159 lands.
@BW-Projects BW-Projects force-pushed the feature_ci_pip_audit branch from d88bdfd to 366a780 Compare May 28, 2026 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BW-Projects