Summary
Python SDK CI has 9 gates but no SAST or dependency vulnerability scanning. Security product needs both.
What to add
1. bandit (Python SAST)
Static analysis for common security issues.
Known finding: src/agentwrit/orchestrator.py:83 — assert in production code, stripped by python -O. Replace with explicit AuthenticationError raise.
2. pip-audit (dependency vulnerability scan)
Checks installed packages against OSV and PyPI advisory databases.
Why this matters
Security experts evaluating the repo expect SAST and dep scanning as baseline.
Summary
Python SDK CI has 9 gates but no SAST or dependency vulnerability scanning. Security product needs both.
What to add
1. bandit (Python SAST)
Static analysis for common security issues.
Known finding:
src/agentwrit/orchestrator.py:83—assertin production code, stripped bypython -O. Replace with explicitAuthenticationErrorraise.2. pip-audit (dependency vulnerability scan)
Checks installed packages against OSV and PyPI advisory databases.
Why this matters
Security experts evaluating the repo expect SAST and dep scanning as baseline.