mirror of
https://github.com/safishamsi/graphify.git
synced 2026-07-13 10:57:13 +00:00
39afb2d8ef
bandit, pip-audit, and safety are already declared in the dev dependency group but nothing in CI invokes them, so a new HIGH-severity finding or a newly-disclosed CVE in a pinned dep can land without anyone noticing until the next manual audit. Add a security-scan job that runs bandit (-ll, HIGH-severity only) and pip-audit (--strict) on every push and PR. Marked continue-on-error so this doesn't block PRs on pre-existing findings -- a follow-up should do the cleanup pass and flip the flag. safety intentionally omitted: it requires a free-tier API key for the new commercial backend, which is a setup burden for forks. pip-audit covers the same ground using the PyPI JSON advisory feed and OSV.