🛡️ add pip-audit to gitlab ci

2026-03-25 18:34:30 -04:00 · 2025-12-03 15:11:26 +01:00
parent c081012781
commit d152b394fd
1 changed files with 18 additions and 0 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -331,6 +331,24 @@ shellcheck:
        hooks/pre-commit
        tests/run-tests

+# Run pip-audit, check for known vulnerabilities in python dependencies
+pip-audit:
+  stage: lint
+  image: debian:13-slim
+  script:
+    - apt update -yyq
+    - apt upgrade -yyq
+    - apt install -yyq --no-install-recommends python3 python3-venv
+    - python3 -m venv env
+    - . env/bin/activate
+    - python3 -m ensurepip
+    - python3 -m pip install --upgrade pip
+    - python3 -m pip install pip-audit
+    # always print long-form json output
+    - python3 -m pip_audit -f json | python3 -m json.tool --indent=2 || true
+    # then print human readable summary
+    - python3 -m pip_audit
+
 # Check all the dependencies in Debian to mirror production.  CVEs are
 # generally fixed in the latest versions in pip/pypi.org, so it isn't
 # so important to scan that kind of install in CI.