Skip to content

fix(#86): replace safety with pip-audit for dependency vulnerability scanning#97

Merged
longieirl merged 1 commit intomainfrom
fix/86-pip-audit
Mar 30, 2026
Merged

fix(#86): replace safety with pip-audit for dependency vulnerability scanning#97
longieirl merged 1 commit intomainfrom
fix/86-pip-audit

Conversation

@longieirl
Copy link
Copy Markdown
Owner

@longieirl longieirl commented Mar 30, 2026

Summary

Replaces safety with pip-audit as the dependency vulnerability scanner in CI. The old safety scan step was advisory-only (|| true) and never blocked the pipeline. pip-audit runs as a hard gate — any known vulnerability in requirements/base.txt fails the build.

Baseline advisory run confirmed zero current violations before switching to enforcement.

Changes

  • .github/workflows/ci.yml: replace safety scan --json > safety-report.json || true with pip-audit -r requirements/base.txt --progress-spinner off -f json -o pip-audit-report.json (hard gate, no || true)
  • .github/workflows/ci.yml: update job name, install step, and uploaded artifact name
  • requirements/ci.txt: remove safety==3.7.0, add pip-audit>=2.7.0

Type

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Documentation
  • Security

Testing

  • Tests pass (coverage ≥ 91%)
  • Manually tested
  • make docker-integration passed locally (required when touching Dockerfile, entrypoint.sh, docker-compose.yml, or packages/parser-core/)

Local baseline: pip-audit -r requirements/base.txt --progress-spinner offNo known vulnerabilities found

Checklist

  • Code follows project style
  • Self-reviewed
  • Documentation updated (if needed)
  • No new warnings

Downstream impact

  • This PR changes a public interface in bankstatements_core (exported class, function, or exception)

@web-flow
fix(#86): replace safety with pip-audit for dependency vulnerability …
8569bd3 
…scanning

- ci.yml: swap `safety scan` (advisory, || true) for `pip-audit` (hard gate)
- pip-audit scans requirements/base.txt only; exits non-zero on any vuln
- JSON report uploaded as pip-audit-report.json artifact
- requirements/ci.txt: remove safety==3.7.0, add pip-audit>=2.7.0
- Baseline advisory run confirmed no current violations
@github-actions github-actions bot added bug Something isn't working dependencies ci labels Mar 30, 2026
@longieirl longieirl self-assigned this Mar 30, 2026
@longieirl longieirl merged commit 782b2fb into main Mar 30, 2026
11 checks passed
@longieirl longieirl deleted the fix/86-pip-audit branch March 30, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@longieirl longieirl

Labels

bug Something isn't working ci dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@longieirl @web-flow