From 41e165303094846f95a4229df19d44e1a38faa83 Mon Sep 17 00:00:00 2001 From: Alberto Torres Date: Sat, 28 Mar 2026 16:51:48 +0100 Subject: [PATCH 1/6] feat: add vulnerability audit workflow (PoC) Add a scheduled GitHub Actions workflow that audits dependencies for known vulnerabilities. Includes two approaches for comparison: 1. pip-audit (PyPA official) - audits the installed environment 2. uv-secure - reads uv.lock directly, no install needed Runs weekly on Mondays, on workflow_dispatch, and on PRs that change uv.lock or pyproject.toml. --- .github/workflows/vulnerability-audit.yml | 43 +++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/vulnerability-audit.yml diff --git a/.github/workflows/vulnerability-audit.yml b/.github/workflows/vulnerability-audit.yml new file mode 100644 index 0000000..4545857 --- /dev/null +++ b/.github/workflows/vulnerability-audit.yml @@ -0,0 +1,43 @@ +name: Vulnerability Audit + +on: + schedule: + # Run weekly on Mondays at 9:00 UTC + - cron: "0 9 * * 1" + workflow_dispatch: + # Also run on PRs that change dependencies + pull_request: + paths: + - "uv.lock" + - "pyproject.toml" + +jobs: + # Approach 1: pip-audit (PyPA official tool) + # Audits the installed environment after uv sync. + # Pros: official PyPA tool, well-maintained, GitHub Action available + # Cons: requires installing deps first (slower), doesn't read uv.lock directly + pip-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Install uv and Python + uses: astral-sh/setup-uv@v7 + with: + enable-cache: true + cache-dependency-glob: uv.lock + - name: Install the project + run: uv sync --locked --dev --all-extras + - name: Run pip-audit + run: uv run --with pip-audit pip-audit --strict --vulnerability-service osv --desc + + # Approach 2: uv-secure (reads uv.lock directly) + # Pros: fast (no install needed), reads uv.lock natively, supports severity filtering + # Cons: newer/less established tool + uv-secure: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Install uv + uses: astral-sh/setup-uv@v7 + - name: Run uv-secure + run: uvx uv-secure uv.lock From 360399e0672459145b0a704145c6f45386bf5f13 Mon Sep 17 00:00:00 2001 From: Alberto Torres Date: Sat, 28 Mar 2026 16:52:10 +0100 Subject: [PATCH 2/6] chore: add temporary push trigger for testing --- .github/workflows/vulnerability-audit.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/vulnerability-audit.yml b/.github/workflows/vulnerability-audit.yml index 4545857..08ce3d5 100644 --- a/.github/workflows/vulnerability-audit.yml +++ b/.github/workflows/vulnerability-audit.yml @@ -10,6 +10,10 @@ on: paths: - "uv.lock" - "pyproject.toml" + # Temporary: trigger on push to test the workflow + push: + branches: + - feature/vulnerability-audit-poc jobs: # Approach 1: pip-audit (PyPA official tool) From 67b652eff29a8555ef4355dc51378e2466960b91 Mon Sep 17 00:00:00 2001 From: Alberto Torres Date: Sat, 28 Mar 2026 16:53:14 +0100 Subject: [PATCH 3/6] chore: remove temporary push trigger --- .github/workflows/vulnerability-audit.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/vulnerability-audit.yml b/.github/workflows/vulnerability-audit.yml index 08ce3d5..4545857 100644 --- a/.github/workflows/vulnerability-audit.yml +++ b/.github/workflows/vulnerability-audit.yml @@ -10,10 +10,6 @@ on: paths: - "uv.lock" - "pyproject.toml" - # Temporary: trigger on push to test the workflow - push: - branches: - - feature/vulnerability-audit-poc jobs: # Approach 1: pip-audit (PyPA official tool) From f582793c77b98d2a0399603a37f5a08c177f265a Mon Sep 17 00:00:00 2001 From: Alberto Torres Date: Sat, 28 Mar 2026 17:08:21 +0100 Subject: [PATCH 4/6] feat: add uv audit --preview as third approach for comparison --- .github/workflows/vulnerability-audit.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-audit.yml b/.github/workflows/vulnerability-audit.yml index 4545857..320a581 100644 --- a/.github/workflows/vulnerability-audit.yml +++ b/.github/workflows/vulnerability-audit.yml @@ -10,6 +10,10 @@ on: paths: - "uv.lock" - "pyproject.toml" + # Temporary: trigger on push to test the workflow + push: + branches: + - feature/vulnerability-audit-poc jobs: # Approach 1: pip-audit (PyPA official tool) @@ -32,7 +36,7 @@ jobs: # Approach 2: uv-secure (reads uv.lock directly) # Pros: fast (no install needed), reads uv.lock natively, supports severity filtering - # Cons: newer/less established tool + # Cons: newer/less established, community tool uv-secure: runs-on: ubuntu-latest steps: @@ -41,3 +45,15 @@ jobs: uses: astral-sh/setup-uv@v7 - name: Run uv-secure run: uvx uv-secure uv.lock + + # Approach 3: uv audit (native uv command, still in preview as of 0.11.2) + # Pros: native to uv (no extra tools), reads uv.lock directly, uses OSV database + # Cons: requires --preview flag, may change before stable + uv-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v6 + - name: Install uv + uses: astral-sh/setup-uv@v7 + - name: Run uv audit + run: uv audit --preview From a57ff8a139a0b26ce91da3fdd1b884788cb0dbe1 Mon Sep 17 00:00:00 2001 From: Alberto Torres Date: Sat, 28 Mar 2026 17:09:16 +0100 Subject: [PATCH 5/6] chore: remove temporary push trigger --- .github/workflows/vulnerability-audit.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/vulnerability-audit.yml b/.github/workflows/vulnerability-audit.yml index 320a581..6c89b51 100644 --- a/.github/workflows/vulnerability-audit.yml +++ b/.github/workflows/vulnerability-audit.yml @@ -10,10 +10,6 @@ on: paths: - "uv.lock" - "pyproject.toml" - # Temporary: trigger on push to test the workflow - push: - branches: - - feature/vulnerability-audit-poc jobs: # Approach 1: pip-audit (PyPA official tool) From af84121c4fc2b615471c445d989576cf31e23af1 Mon Sep 17 00:00:00 2001 From: Alberto Torres Date: Sat, 28 Mar 2026 17:34:11 +0100 Subject: [PATCH 6/6] refactor: use uv export pipe instead of uv sync for pip-audit Avoids installing the full environment by piping uv export directly into pip-audit, making it faster and consistent with the other no-install approaches. --- .github/workflows/vulnerability-audit.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/.github/workflows/vulnerability-audit.yml b/.github/workflows/vulnerability-audit.yml index 6c89b51..7198782 100644 --- a/.github/workflows/vulnerability-audit.yml +++ b/.github/workflows/vulnerability-audit.yml @@ -13,22 +13,17 @@ on: jobs: # Approach 1: pip-audit (PyPA official tool) - # Audits the installed environment after uv sync. - # Pros: official PyPA tool, well-maintained, GitHub Action available - # Cons: requires installing deps first (slower), doesn't read uv.lock directly + # Exports uv.lock to requirements format and pipes it into pip-audit (no install needed). + # Pros: official PyPA tool, well-maintained, no env install required + # Cons: requires export step, doesn't read uv.lock directly pip-audit: runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - - name: Install uv and Python + - name: Install uv uses: astral-sh/setup-uv@v7 - with: - enable-cache: true - cache-dependency-glob: uv.lock - - name: Install the project - run: uv sync --locked --dev --all-extras - name: Run pip-audit - run: uv run --with pip-audit pip-audit --strict --vulnerability-service osv --desc + run: uv export --locked --no-hashes | uvx pip-audit -r /dev/stdin --strict --vulnerability-service osv --desc # Approach 2: uv-secure (reads uv.lock directly) # Pros: fast (no install needed), reads uv.lock natively, supports severity filtering