From d152b394fd4c71cbdbb960af60e068310a2a4e97 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20P=C3=B6hn?= <michael@poehn.at>
Date: Wed, 3 Dec 2025 15:11:26 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20add=20pip-audit=20to=20?=
 =?UTF-8?q?gitlab=20ci?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitlab-ci.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 917a751c..06d70157 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -331,6 +331,24 @@ shellcheck:
         hooks/pre-commit
         tests/run-tests
 
+# Run pip-audit, check for known vulnerabilities in python dependencies
+pip-audit:
+  stage: lint
+  image: debian:13-slim
+  script:
+    - apt update -yyq
+    - apt upgrade -yyq
+    - apt install -yyq --no-install-recommends python3 python3-venv
+    - python3 -m venv env
+    - . env/bin/activate
+    - python3 -m ensurepip
+    - python3 -m pip install --upgrade pip
+    - python3 -m pip install pip-audit
+    # always print long-form json output
+    - python3 -m pip_audit -f json | python3 -m json.tool --indent=2 || true
+    # then print human readable summary
+    - python3 -m pip_audit
+
 # Check all the dependencies in Debian to mirror production.  CVEs are
 # generally fixed in the latest versions in pip/pypi.org, so it isn't
 # so important to scan that kind of install in CI.