Skip to content

Trial: python-package-scanner in security workflow#157

Draft
nevoodoo wants to merge 7 commits intomainfrom
test/python-package-scanner
Draft

Trial: python-package-scanner in security workflow#157
nevoodoo wants to merge 7 commits intomainfrom
test/python-package-scanner

Conversation

@nevoodoo
Copy link
Copy Markdown
Contributor

@nevoodoo nevoodoo commented Mar 30, 2026
edited
Loading

Just trialing the package scanner to see if this would solve our visibility issues into vulnerable deps: https://github.com/populationgenomics/python-package-scanner?tab=readme-ov-file

@nevoodoo @claude
Add python-package-scanner to security workflow
2225386 
Trial run of the new vulnerability scanner alongside pip-audit
to compare results and dependency chain tracing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nevoodoo @claude
Update python-package-scanner to fix module import
3c390d9 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nevoodoo @claude
Update python-package-scanner to Node.js 24 compatible version
90a7f96 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nevoodoo @claude
Add pull_request trigger to security workflow
2feef8c 
Enables PR comments from python-package-scanner. Push restricted
to main to avoid double runs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

🐳 Docker Image Built

A new Docker image has been built for this PR:

Image: australia-southeast1-docker.pkg.dev/cpg-common/images-dev/cpg_flow:2feef8c857dcf65f906ac85a811c96d1c2aa99a6

Pull command:

docker pull australia-southeast1-docker.pkg.dev/cpg-common/images-dev/cpg_flow:2feef8c857dcf65f906ac85a811c96d1c2aa99a6

🔗 View in Google Cloud Console

This comment was automatically generated by the Docker workflow.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

Vulnerability Audit

Found 16 vulnerabilities in 14 packages

Package Version Vulnerability Fix Dependency Chain
azure-core 1.37.0 CVE-2026-21226 1.38.0 hail > azure-identity > azure-core
bokeh 3.4.3 CVE-2026-21883 3.8.2 hail > bokeh
cryptography 46.0.3 CVE-2026-34073 46.0.6 hail > azure-identity > cryptography
cryptography 46.0.3 CVE-2026-26007 46.0.5 hail > azure-identity > cryptography
filelock 3.20.2 CVE-2026-22701 3.20.3 pre-commit > virtualenv > filelock
jaraco-context 6.0.2 CVE-2026-23949 6.1.0 twine > keyring > jaraco-context (dev)
orjson 3.11.5 CVE-2025-67221 3.11.6 hail > orjson
pillow 12.1.0 CVE-2026-25990 12.1.1 hail > bokeh > pillow
pip 25.3 CVE-2026-1703 26.0 pip-audit > pip-api > pip (dev)
pyasn1 0.6.1 CVE-2026-23490 0.6.2 cpg-utils > google-auth > pyasn1-modules > pyasn1
pyasn1 0.6.1 CVE-2026-30922 0.6.3 cpg-utils > google-auth > pyasn1-modules > pyasn1
pygments 2.19.2 CVE-2026-4539 None mkdocs-material > pygments (no fix available, dev)
pyjwt 2.10.1 CVE-2026-32597 2.12.0 hail > azure-identity > msal > pyjwt
requests 2.32.5 CVE-2026-25645 2.33.0 cpg-utils > requests
urllib3 2.6.2 CVE-2026-21441 2.6.3 metamist > urllib3
virtualenv 20.35.4 CVE-2026-22702 20.36.1 pre-commit > virtualenv

Summary

  • 13 fixable via dependency upgrade
  • 3 in dev dependencies only (2 fixable, 1 no fix)

@populationgenomics populationgenomics deleted a comment from github-actions bot Mar 30, 2026
@nevoodoo @claude
Update python-package-scanner with dev dependency tracking
8fbb7b0 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nevoodoo @claude
Update python-package-scanner with pinned vs no-fix distinction
414f20a 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nevoodoo