Summary
The repository currently has no security scanning or CI/CD workflows. This means:
- Python logic bugs and unsafe API usage go undetected (no SAST)
- Vulnerable dependency versions aren't flagged (no SCA)
- Dependency updates require manual tracking
Proposal
Add free, automated security scanning at two levels:
CI (GitHub Actions)
- CodeQL (GitHub's own SAST) — finds Python logic bugs, injection flaws, unsafe API usage. Results appear in the Security > Code scanning tab.
- pip-audit — scans installed dependencies against the OSV database for known CVEs. The full project (including PyGObject) is installed in a clean Ubuntu runner with system libs, so all dependencies including transitive ones are covered.
- Dependabot — automatically opens PRs when dependencies have security updates, and keeps GitHub Actions action versions current.
Local (pre-commit)
- bandit — runs SAST on staged Python files before each commit, giving immediate local feedback without waiting for CI.
- pip-audit — scans direct dependencies from
requirements.txt (which mirrors install_requires in setup.py) against the OSV database before each commit.
- PyGObject is excluded from
requirements.txt because it requires gobject-introspection system headers to build metadata, which are not universally available. It is fully covered by pip-audit in CI.
- Transitive dependency CVEs are covered by pip-audit in CI.
Implementation
.github/workflows/security.yml — CodeQL + pip-audit jobs triggered on push, PR, weekly schedule, and manual dispatch.github/dependabot.yml — weekly checks for pip and GitHub Actions ecosystems.pre-commit-config.yaml — bandit SAST + pip-audit hooks running on staged files / before commitrequirements.txt — direct dependencies for local pip-audit (mirrors setup.py install_requires)
No external accounts, tokens, or paid services required.
I'd like to submit a PR implementing this if you're open to it.
Summary
The repository currently has no security scanning or CI/CD workflows. This means:
Proposal
Add free, automated security scanning at two levels:
CI (GitHub Actions)
Local (pre-commit)
requirements.txt(which mirrorsinstall_requiresinsetup.py) against the OSV database before each commit.requirements.txtbecause it requiresgobject-introspectionsystem headers to build metadata, which are not universally available. It is fully covered by pip-audit in CI.Implementation
.github/workflows/security.yml— CodeQL + pip-audit jobs triggered on push, PR, weekly schedule, and manual dispatch.github/dependabot.yml— weekly checks for pip and GitHub Actions ecosystems.pre-commit-config.yaml— bandit SAST + pip-audit hooks running on staged files / before commitrequirements.txt— direct dependencies for local pip-audit (mirrorssetup.py install_requires)No external accounts, tokens, or paid services required.
I'd like to submit a PR implementing this if you're open to it.