From e1f05bbfd3aa45369e852ecb7652833d520b0ad0 Mon Sep 17 00:00:00 2001
From: deacon-mp <61169193+deacon-mp@users.noreply.github.com>
Date: Mon, 18 May 2026 19:11:01 -0400
Subject: [PATCH] ci: swap safety check for pip-audit (PyPA, no API key)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

safety check was deprecated 2024-06; safety scan requires a pyup.io API
key and an additional CI secret to manage. Dependabot, GitGuardian, and
SonarCloud already cover supply-chain monitoring from multiple angles, so
the marginal value of integrating a new auth system is low.

pip-audit (PyPA's official tool) provides the same coverage as a
zero-auth drop-in. Both requirements.txt and requirements-dev.txt come
back clean: 'No known vulnerabilities found'.

Legacy pyup ignore IDs are no longer needed:
 - 39642 (reportlab) — superseded by reportlab==4.0.4
 - 39659 (aiohttp)   — superseded by aiohttp==3.13.4

[testenv:safety] env name kept intact so branch protection contexts
(`build (3.13, safety)`) don't need a coordinated update. Rename to
[testenv:audit] can be a small follow-up PR alongside an admin update
of the required check name.
---
 .safety-policy.yml |  6 ------
 tox.ini            | 21 ++++++++++++++-------
 2 files changed, 14 insertions(+), 13 deletions(-)
 delete mode 100644 .safety-policy.yml

diff --git a/.safety-policy.yml b/.safety-policy.yml
deleted file mode 100644
index dcba87b21..000000000
--- a/.safety-policy.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-# Safety policy file for `safety check`.
-# Required by safety 3.x — the CLI looks for this file in cwd even when
-# --ignore is passed inline. Ignores are kept on the tox command line
-# (see tox.ini [testenv:safety]) so they stay visible in CI output.
-security:
-    ignore-vulnerabilities: {}
diff --git a/tox.ini b/tox.ini
index 06d7cc727..14311551a 100644
--- a/tox.ini
+++ b/tox.ini
@@ -54,16 +54,23 @@ commands =
     coverage report
 
 [testenv:safety]
-# Safety ignore list:
-# 39642: reportlab vuln resolved in https://github.com/mitre/debrief/pull/39
-# 39659: aiohttp cannot be upgraded to 3.7.4: https://github.com/mitre/caldera/pull/2062
+# Dependency vulnerability scan. Env name kept as "safety" so branch
+# protection contexts (`build (3.13, safety)`) don't need a coordinated
+# update; underlying tool is pip-audit (PyPA, no API key, free).
+#
+# `safety check` was deprecated 2024-06; the pyup.io account/scan
+# replacement was not worth the new secret + auth integration when
+# Dependabot, GitGuardian, and SonarCloud already cover supply chain.
+#
+# Legacy pyup ignores (39642 reportlab, 39659 aiohttp) are obsolete
+# now that aiohttp>=3.13 and reportlab>=4.0 are pinned. Add
+# `--ignore-vuln GHSA-...` here if a real exemption is needed later.
 deps =
-    safety
+    pip-audit
 skip_install = true
-whitelist_externals=find
 commands =
-    safety check -r requirements.txt --policy-file .safety-policy.yml --ignore 39642 --ignore 39659
-    safety check -r requirements-dev.txt --policy-file .safety-policy.yml
+    pip-audit -r requirements.txt
+    pip-audit -r requirements-dev.txt
 
 [testenv:bandit]
 deps =