From 8569bd33999d3fc3e5cfb76960b320a8ce3f6e05 Mon Sep 17 00:00:00 2001
From: longieirl <noreply@github.com>
Date: Mon, 30 Mar 2026 13:12:37 +0100
Subject: [PATCH] fix(#86): replace safety with pip-audit for dependency
 vulnerability scanning

- ci.yml: swap `safety scan` (advisory, || true) for `pip-audit` (hard gate)
- pip-audit scans requirements/base.txt only; exits non-zero on any vuln
- JSON report uploaded as pip-audit-report.json artifact
- requirements/ci.txt: remove safety==3.7.0, add pip-audit>=2.7.0
- Baseline advisory run confirmed no current violations
---
 .github/workflows/ci.yml | 12 ++++++------
 requirements/ci.txt      |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 30e6230..dff8ff6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,7 +4,7 @@
 #   changes     — detect which paths changed (skips heavy jobs on workflow-only PRs)
 #   lint-core   — black, isort, ruff, mypy on packages/parser-core
 #   lint-free   — black, isort, ruff on packages/parser-free
-#   security    — bandit + safety on both packages
+#   security    — bandit + pip-audit on both packages
 #   test-core   — pytest with 91% coverage gate (Python matrix), needs lint-core
 #   test-free   — pytest on packages/parser-free, needs lint-free
 
@@ -174,7 +174,7 @@ jobs:
       run: ruff check src tests
 
   security:
-    name: Security — bandit + safety
+    name: Security — bandit + pip-audit
     runs-on: ubuntu-latest
     timeout-minutes: 10
     needs: changes
@@ -194,7 +194,7 @@ jobs:
 
     - name: Install security tools + packages
       run: |
-        pip install --upgrade pip bandit[toml] safety
+        pip install --upgrade pip bandit[toml] pip-audit
         pip install -e packages/parser-core
         pip install -e packages/parser-free
 
@@ -204,8 +204,8 @@ jobs:
     - name: Bandit — parser-free
       run: bandit -r packages/parser-free/src -f json -o bandit-free.json || true
 
-    - name: Safety scan
-      run: safety scan --json > safety-report.json || true
+    - name: pip-audit — dependency vulnerability scan
+      run: pip-audit -r requirements/base.txt --progress-spinner off -f json -o pip-audit-report.json
 
     - name: Upload security reports
       uses: actions/upload-artifact@v7
@@ -215,7 +215,7 @@ jobs:
         path: |
           bandit-core.json
           bandit-free.json
-          safety-report.json
+          pip-audit-report.json
 
   # ---------------------------------------------------------------------------
   # Test jobs (serial after their respective lint job)
diff --git a/requirements/ci.txt b/requirements/ci.txt
index d2f92ab..d5c31b3 100644
--- a/requirements/ci.txt
+++ b/requirements/ci.txt
@@ -6,7 +6,7 @@
 
 # Security scanning
 bandit==1.9.4
-safety==3.7.0
+pip-audit>=2.7.0
 
 # License compliance
 pip-licenses>=5.0.0