Summary
Add lightweight automated security checks to CI for Python dependency vulnerabilities and static-analysis findings.
Why
Manual audit runs are useful, but dependency and static-analysis checks should be repeatable in CI. pip-audit can catch known Python package vulnerabilities, and Bandit can flag Python security-sensitive patterns for review.
Proposed direction
- Add a CI job or workflow for
pip-audit.
- Add a Bandit job configured for actionable findings.
- Keep initial scope focused so the signal is useful and does not fail on low-value noise.
- Document how to run the checks locally.
Acceptance criteria
- CI runs dependency vulnerability checks.
- CI runs Python static security checks with an explicit configuration.
- The current dependency set passes the audit.
- Any intentionally accepted Bandit findings are documented or excluded explicitly.
Summary
Add lightweight automated security checks to CI for Python dependency vulnerabilities and static-analysis findings.
Why
Manual audit runs are useful, but dependency and static-analysis checks should be repeatable in CI.
pip-auditcan catch known Python package vulnerabilities, and Bandit can flag Python security-sensitive patterns for review.Proposed direction
pip-audit.Acceptance criteria