ci: Add pip-audit security scanner (#268)

ci: Streamline GH workflow names
mansenfranzen · Apr 23, 2024 · 0be2710 · 0be2710
1 parent 9726cc5
commit 0be2710
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 5 deletions.
diff --git a/.github/workflows/pr-agent.yml b/.github/workflows/pr-agent.yml
@@ -1,4 +1,4 @@
-name: PR Agent
+name: "AGENT: Pull request and issue AI agent"
 
 on:
   pull_request:

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -1,4 +1,4 @@
-name: Release
+name: "RELEASE: Changelog Update, Tagging, and PyPI Upload" 
 
 on:
   push:

diff --git a/.github/workflows/tests-push-pr.yml b/.github/workflows/tests-push-pr.yml
@@ -1,4 +1,4 @@
-name: Semantic Tests
+name: "TESTS: Push/Pull"
 on:
   push:
   pull_request:
@@ -121,4 +121,20 @@ jobs:
         uses: ./.github/actions/invoke-tox
         with:
           tox-environment: type-checker
+          install-graphviz: true
+
+  security-scan:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        scan: ["lib", "dev"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Test Environment and Run Tox
+        uses: ./.github/actions/invoke-tox
+        with:
+          tox-environment: security-scan${{ matrix.scan }}
           install-graphviz: true
diff --git a/.github/workflows/tests-scheduled.yml b/.github/workflows/tests-scheduled.yml
@@ -1,4 +1,4 @@
-name: Scheduled Tests
+name: "TESTS: Scheduled"
 on:
   schedule:
     - cron: "0 1 * * *"
@@ -29,3 +29,19 @@ jobs:
         with:
           tox-environment: pre-release
           install-graphviz: true
+
+  security-scan:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        scan: ["lib", "app"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Test Environment and Run Tox
+        uses: ./.github/actions/invoke-tox
+        with:
+          tox-environment: security-scan-${{ matrix.scan }}
+          install-graphviz: true
diff --git a/pyproject.toml b/pyproject.toml
@@ -50,6 +50,9 @@ typing-extensions = { version = "^4.11", markers = "python_version <= '3.9'", op
 # extras linting/formatting
 ruff = { version = "^0.4.0", optional = true }
 
+# extras security
+pip-audit = { version = "^2.7.2", optional = true }
+
 # extras erdantic
 erdantic = { version ="<2.0", optional = true }
 
@@ -70,6 +73,8 @@ type_checking = ["mypy",
                  "types-docutils",
                  "typing-extensions"]
 
+security = ["pip-audit"]
+
 erdantic = ["erdantic"]
 
 [build-system]

diff --git a/tox.ini b/tox.ini
@@ -7,6 +7,7 @@ envlist =
     linter
     formatter
     type-checker
+    security-scan-{lib,dev}
 isolated_build = True
 
 [testenv]
@@ -112,4 +113,16 @@ description = "Type check the codebase."
 extras = 
     type_checking
     erdantic
-commands = mypy sphinxcontrib/ --explicit-package-bases
+commands = mypy sphinxcontrib/ --explicit-package-bases
+
+[testenv:security-scan{lib,dev}]
+description = "Scan for security vulnerabilities."
+extras =
+    erdantic
+    security
+    scandev: test
+    scandev: docs
+    scandev: linting
+    scandev: type_checking
+commands = 
+    pip-audit -v