You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Trivy scan currently reports errors whenever a pull request is opened. The task is to investigate the cause of these errors and implement a fix to ensure the scan passes successfully. Link to the error
Add pip audit check’s for all pyproject.toml files in the github action
pip-audit is a tool for scanning Python environments for packages with known vulnerabilities.
If pip audit doesn’t have support for pyproject.toml files, then we can convert them to requirements.txt files using uvlike this, and then run the pip-audit on them.
We can also look into adding tools like Deptry — it is a command line tool to check for issues with dependencies in a Python project, such as unused or missing dependencies.
Some notes on securing the feluda codebase can be found in this blog post.
We have a github action in place that runs security checks when a PR is opened - link to the action
pyproject.tomlfiles in the github actionpyproject.tomlfiles, then we can convert them torequirements.txtfiles usinguvlike this, and then run the pip-audit on them.Some notes on securing the feluda codebase can be found in this blog post.