ci: swap safety check for pip-audit (PyPA, no API key)#3377
Merged
Conversation
safety check was deprecated 2024-06; safety scan requires a pyup.io API key and an additional CI secret to manage. Dependabot, GitGuardian, and SonarCloud already cover supply-chain monitoring from multiple angles, so the marginal value of integrating a new auth system is low. pip-audit (PyPA's official tool) provides the same coverage as a zero-auth drop-in. Both requirements.txt and requirements-dev.txt come back clean: 'No known vulnerabilities found'. Legacy pyup ignore IDs are no longer needed: - 39642 (reportlab) — superseded by reportlab==4.0.4 - 39659 (aiohttp) — superseded by aiohttp==3.13.4 [testenv:safety] env name kept intact so branch protection contexts (`build (3.13, safety)`) don't need a coordinated update. Rename to [testenv:audit] can be a small follow-up PR alongside an admin update of the required check name.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
safety checkwas deprecated 2024-06 (see warning banner on every CI run since).safety scanis the replacement but requires a pyup.io API key + a new GitHub Actions secret to manage, in exchange for one more layer of supply-chain scanning on top of what Dependabot + GitGuardian + SonarCloud already cover.pip-audit(PyPA's official tool) gives the same Python dependency coverage as a zero-auth drop-in.What
[testenv:safety]now installspip-auditand runspip-audit -r requirements.txt/-r requirements-dev.txt..safety-policy.ymldeleted (was only needed to work around the safety 3.x auto-lookup bug).reportlab==4.0.4pin; 39659 was an aiohttp <3.7.4 issue, and we're on aiohttp==3.13.4.safetykept intact so branch-protection contexts (build (3.13, safety)) don't need a coordinated update. A follow-up PR can rename toaudit+ update the required check at the same time.Test
Local
python3 -m tox -e safety(now pip-audit under the hood):Both requirements files come back clean.
Followups (not in this PR)
[testenv:safety]→[testenv:audit]+ update branch protection to expectbuild (3.13, audit)(paired change).pip-audit --strictonce we're confident in the noise level.