feat: replace advisory pip-audit with blocking vuln process#6058
feat: replace advisory pip-audit with blocking vuln process#6058theCyberTech wants to merge 1 commit into
Conversation
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
New vulnerability scan process: 1. Run pip-audit without ignores on every PR 2. Classify vulns as direct or transitive (checks against all monorepo pyproject.toml files) 3. Direct vulns: auto-fix with pip-audit --fix and commit the bump to the PR branch 4. Transitive vulns: add to ignore list and create a GitHub issue for tracking 5. Re-run pip-audit with transitive ignores — PR passes only if direct vulns are resolved 6. Scheduled runs also validate that previously ignored vulns are still unfixable Removes continue-on-error: true so the action actually blocks.
theCyberTech
force-pushed
the
feat/pip-audit-process
branch
from
7eb02d5 to
0cc43b2
Compare
1 participant
What
Replaces the current advisory-only pip-audit workflow with a blocking process that actually enforces the policy.
Current problem
continue-on-error: truemeans the action never blocks anything--ignore-vulnentries with no mechanism to check if they're still neededNew process
pip-audit --fix, commit the bump to the PR branch. PR stays blocked if fix fails.security,transitive-vulnfor trackingWhat changes
continue-on-error: true— the action actually blocks now--ignore-vulnentries — transitive vulns are auto-ignored at runtime