fix(scanners): uv-first bandit[sarif] install + pip-audit pyproject.toml support#166
Merged
Merged
Conversation
…oml support Two customer-facing scanner fixes surfaced by a real `codehub analyze` run on a uv-managed Python project (pyproject.toml + uv.lock, no requirements.txt). bandit installCmd: - Was `pip install 'bandit[sarif]==1.9.4'`. Changed to `uv tool install 'bandit[sarif]==1.9.4'` — matches the uv-first convention (and the existing doctor.ts hint), and an isolated tool venv won't be shadowed by a project's bare `bandit` that lacks the [sarif] extra (the exact trap: a PATH bandit without the formatter argparse-rejects -f sarif). - pip-audit installCmd likewise moved to `uv tool install`. pip-audit pyproject.toml support: - Previously hardcoded `-r requirements.txt`; on a project without that file pip-audit emitted `invalid requirements input` and an empty SARIF. - The wrapper now resolves what to audit (first hit wins): an existing requirements.txt is audited directly (unchanged path); otherwise, if a pyproject.toml exists, it bridges via `uv export --quiet --format requirements-txt --no-emit-project -o <.codehub>/.pip-audit-requirements.txt` (uv emits hashes by default, which --disable-pip requires) and audits the export. Findings are labelled against pyproject.toml via the converter's requirementsPath option, not the transient export. Missing-uv and failed-export both degrade to an actionable advisory + empty SARIF. - scan.ts points exportDir at the gitignored .codehub/ meta dir and lets the wrapper auto-detect instead of hardcoding requirements.txt. - Adds an optional fileExists to WrapperDeps (DI seam; real access() default). Verified end-to-end: `codehub scan ngs-research-agent --scanners pip-audit` now reports PYSEC-2026-161 (starlette@1.0.0) @ pyproject.toml; the temp export lands in .codehub/ and is gitignored. Scanners 92/92, cli 263/263, tsc clean, biome clean.
Merged
theagenticguy
pushed a commit
that referenced
this pull request
May 29, 2026
🤖 Automated release via release-please --- <details><summary>cli: 0.5.5</summary> ## [0.5.5](cli-v0.5.4...cli-v0.5.5) (2026-05-29) ### Bug Fixes * **cli:** doctor resolves @opencodehub/sarif as installed pkg, not monorepo path ([#164](#164)) ([2b2b389](2b2b389)) * **scanners:** uv-first bandit[sarif] install + pip-audit pyproject.toml support ([#166](#166)) ([5ad02d8](5ad02d8)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/mcp bumped to 0.4.4 * @opencodehub/scanners bumped to 0.2.2 </details> <details><summary>mcp: 0.4.4</summary> ## [0.4.4](mcp-v0.4.3...mcp-v0.4.4) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/scanners bumped to 0.2.2 </details> <details><summary>scanners: 0.2.2</summary> ## [0.2.2](scanners-v0.2.1...scanners-v0.2.2) (2026-05-29) ### Bug Fixes * **scanners:** uv-first bandit[sarif] install + pip-audit pyproject.toml support ([#166](#166)) ([5ad02d8](5ad02d8)) </details> <details><summary>root: 0.6.6</summary> ## [0.6.6](root-v0.6.5...root-v0.6.6) (2026-05-29) ### Bug Fixes * **cli:** doctor resolves @opencodehub/sarif as installed pkg, not monorepo path ([#164](#164)) ([2b2b389](2b2b389)) * **scanners:** uv-first bandit[sarif] install + pip-audit pyproject.toml support ([#166](#166)) ([5ad02d8](5ad02d8)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
3 tasks
theagenticguy
added a commit
that referenced
this pull request
May 29, 2026
…inary (#171) ## Summary `doctor` reported **bandit OK** from `bandit --version` exit 0 — while `codehub scan` was silently broken. Without the `[sarif]` extra (`bandit-sarif-formatter`), `bandit -f sarif` is argparse-rejected (exit 2 + a `usage: bandit` banner) and the scan contributes **0 findings**. The check was a false positive (field-report Issue 6). ## Fix - **`banditSarifCheck`** replaces the bandit `binaryOnPathCheck`. It probes `bandit --version` (missing → `warn`), then runs `bandit -f sarif --quiet -r <empty tmp dir>`. argparse validates the `--format` choice **before** walking any target, so a missing formatter fails fast (~0.1s) without scanning the repo. The fail branch gates on the **structural** signature (exit 2 + `usage: bandit` banner) — not advisory prose — so it can't silently regress if the message is reworded. Row name stays `"bandit binary"` (preserves `--strict` exit accounting and table order). - **`runCommand` DI seam** added to `DoctorOptions`, threaded into the spawning checks (pnpm, scip indexers, `binaryOnPathCheck`, `banditSarifCheck`). This makes doctor tests hermetic and de-flakes the pre-existing strict-exit test, which previously depended on whatever scanner binaries the host happened to have installed. ## Test plan - [x] **On this host:** doctor reports **FAIL** for the PATH bandit lacking the extra (`mise pipx-bandit`), and **OK** for the uv-tool `bandit[sarif]`. - [x] 3 new tests via the DI seam: formatter-missing (exit 2 + usage) → `fail` with a `bandit[sarif]` hint; formatter-present → `ok`; binary-absent → `warn`. - [x] `@opencodehub/cli` 266/266; `tsc` + `biome` clean. Companion to #166 (which fixed the `installCmd` the hint points at).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two customer-facing scanner fixes, both surfaced by a real
codehub analyzerun on a uv-managed Python project (pyproject.toml+uv.lock, norequirements.txt):1. bandit install command → uv-first, with the
[sarif]extraBANDIT_SPEC.installCmdwaspip install 'bandit[sarif]==1.9.4'. Nowuv tool install 'bandit[sarif]==1.9.4':doctor.tshint.banditthat lacks the[sarif]extra — the exact trap, since a PATHbanditwithoutbandit-sarif-formatterargparse-rejects-f sarifwith exit 2.PIP_AUDIT_SPEC.installCmdlikewise moved touv tool install.2. pip-audit now audits
pyproject.tomlprojectsThe wrapper hardcoded
-r requirements.txt. On a project without that file, pip-audit emittedinvalid requirements input→ empty SARIF (silent miss). The wrapper now resolves what to audit, first hit wins:requirements.txt(or explicitrequirementsPath) → audited directly. Unchanged path.pyproject.toml→ bridge viauv export --quiet --format requirements-txt --no-emit-project -o <.codehub>/.pip-audit-requirements.txt, then audit the export with the same-r … --disable-pipinvocation. uv emits hashes by default, which--disable-piprequires. Findings are labelled againstpyproject.toml(the file the user maintains) via the converter'srequirementsPathoption, not the transient export.uvand failed-uv exportalso degrade to an advisory.scan.tspointsexportDirat the gitignored.codehub/meta dir and lets the wrapper auto-detect instead of hardcodingrequirements.txt. Adds an optionalfileExiststoWrapperDeps(DI seam; realaccess()default, so existing wrappers/tests are unaffected).Test plan
codehub scan <uv-project> --scanners pip-auditnow reportsPYSEC-2026-161(starlette@1.0.0)@ pyproject.toml(was: empty SARIF). Temp export lands in.codehub/and is gitignored.@opencodehub/scanners: 92/92 pass@opencodehub/cli: 263/263 passtsc --noEmitworkspace: cleanbiome check: clean