Skip to content

testing pip-audit #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
davidslusser merged 2 commits into from
Apr 20, 2026
Merged

testing pip-audit #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fe06ac5
testing pip-audit
davidslusser Apr 20, 2026
9e0bdd3
rename workflows; fix fawltydep
davidslusser Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/bandit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Security Analysis (bandit)
name: Security Analysis

on:
push:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/fawltydeps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Dependency Consistency Check (fawltydeps)
name: Dependency Consistency Check

on:
pull_request:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/isort.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Import Order Validation (isort)
name: Import Order Validation

on:
push:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/mypy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Type Checking (mypy)
name: Type Checking

on:
push:
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/pip_audit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Dependency Vulnerability Scan

on:
pull_request:
types: [opened, synchronize, reopened]

jobs:
pip_audit:
runs-on: ubuntu-latest
name: "pip-audit"
steps:
- uses: actions/checkout@v4

- uses: actions/setup-python@v5
with:
python-version: "3.12"

- name: Install project
run: pip install .

- name: Run pip-audit
uses: pypa/gh-action-pip-audit@v1.1.0
2 changes: 1 addition & 1 deletion .github/workflows/pytest.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Unittest Execution (pytest)
name: Unittest Execution

on:
push:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/radon.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Code Metrics Analysis (radon)
name: Code Metrics Analysis

on:
push:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ruff_format.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Code Consistency Check (ruff format)
name: Code Consistency Check

on:
push:
Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/ruff_lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Code Consistency Check (ruff format)
name: Static Code Analysis

on:
push:
Expand All @@ -9,11 +9,9 @@ jobs:
ruff:
runs-on: ubuntu-latest
name: "ruff"
if: github.event.created == false # Skip if this push created a new branch
steps:
- name: actions_python_ruff
uses: davidslusser/actions_python_ruff@v1.0.3
with:
src: "src/django_project"
command: ruff format src --check
python_version: "3.13"
options: "-v"
6 changes: 5 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,24 @@ https://www.spokanepython.com
| Workflow | Description | Status |
|----------|-------------------------|------------------------------------------------------------------------------|
|Bandit|security checks|![Bandit](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/bandit.yaml/badge.svg)|
|Django Check|django project scan|![Lint](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/django.yaml/badge.svg)|
|FawltyDeps|dependency consistency check|![Lint](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/fawltydeps.yaml/badge.svg)|
|Isort|python import ordering|![Isort](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/isort.yaml/badge.svg)|
|Mypy|static type checking|![Mypy](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/mypy.yaml/badge.svg)|
|Pip Audit|dependency vulnerability scan|![Audit](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/pip_audit.yaml/badge.svg)|
|Radon|code complexity analysis|![Radon](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/radon.yaml/badge.svg)|
|Ruff Format|code formatting|![Format](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/ruff_format.yaml/badge.svg)|
|Ruff Lint|static code analysis|![Lint](https://github.com/SpokaneTech/SpokanePythonWeb/actions/workflows/ruff_lint.yaml/badge.svg)|



<br/>

## Local Development

### prerequisites
1. git installed on system
2. python installed on system (3.10+ recommended)
2. python installed on system (3.12+ recommended)


### local git setup
Expand Down
6 changes: 2 additions & 4 deletions pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ dev = [
"mypy",
"mypy-extensions",
"ruff",
"pip-audit",
Copy link
Copy Markdown

@codeant-ai codeant-ai Bot Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Architect Review — HIGH

pip-audit was added to project.optional-dependencies.dev but not to [tool.fawltydeps].ignore_unused, even though all other dev-only tools in the dev extra are listed there; this will cause the existing fawltydeps workflow (which installs .[dev]) to report pip-audit as an unused dependency and fail.

Suggestion: Add pip-audit to the [tool.fawltydeps].ignore_unused list so the existing dependency-consistency workflow continues to pass when the new dev tool is installed via the dev extra.

Prompt for AI Agent 🤖 
This is a comment left during a code review.

**Path:** pyproject.toml
**Line:** 36:36
**Comment:**
	*HIGH: `pip-audit` was added to `project.optional-dependencies.dev` but not to `[tool.fawltydeps].ignore_unused`, even though all other dev-only tools in the `dev` extra are listed there; this will cause the existing fawltydeps workflow (which installs `.[dev]`) to report `pip-audit` as an unused dependency and fail.

Validate the correctness of the flagged issue. If correct, How can I resolve this? If you propose a fix, implement it and please make it concise.

"pytest",
"pytest-cov",
"pytest-django",
Expand All @@ -51,10 +52,6 @@ docker = [
exclude_dirs = ["venv", "django_project/tests", "django_project/*/management/commands"]


[tool.black]
line-length = 120


[tool.coverage.report]
show_missing = true

Expand Down Expand Up @@ -91,6 +88,7 @@ ignore_unused = [
"mypy",
"mypy-extensions",
"ruff",
"pip-audit",
"psycopg2-binary",
"pytest",
"pytest-cov",
Expand Down
Loading