Last active
December 22, 2025 23:41
-
-
Save mikeckennedy/de70ce13231b407a8dccea758f83a5cd to your computer and use it in GitHub Desktop.
Add pip-audit checks to your pytest / CI tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| Security audit tests using pip-audit to detect known vulnerabilities. | |
| This test runs pip-audit against the installed packages and fails if any | |
| vulnerabilities are detected, ensuring continuous security monitoring. | |
| """ | |
| import subprocess | |
| import sys | |
| from pathlib import Path | |
| import pytest | |
| def test_pip_audit_no_vulnerabilities(): | |
| """ | |
| Run pip-audit to check for known security vulnerabilities. | |
| This test will fail if any vulnerabilities are detected in the installed packages. | |
| Note: CVE-2025-53000 (nbconvert Windows vulnerability) is ignored as it only affects | |
| Windows platforms and is a known acceptable risk for this project. | |
| To run this test specifically: | |
| pytest talk_python_training/tests/test_security_audit.py -v | |
| """ | |
| # Get the project root directory | |
| project_root = Path(__file__).parent.parent.parent | |
| # Run pip-audit with JSON output for easier parsing | |
| try: | |
| result = subprocess.run( | |
| [ | |
| sys.executable, | |
| '-m', | |
| 'pip_audit', | |
| '--format=json', | |
| '--progress-spinner=off', | |
| '--ignore-vuln', | |
| 'CVE-2025-53000', | |
| '--skip-editable', | |
| ], | |
| cwd=project_root, | |
| capture_output=True, | |
| text=True, | |
| timeout=120, # 2 minute timeout | |
| ) | |
| except subprocess.TimeoutExpired: | |
| pytest.fail('pip-audit command timed out after 120 seconds') | |
| except FileNotFoundError: | |
| pytest.fail('pip-audit not installed or not accessible') | |
| # Check if pip-audit found any vulnerabilities | |
| if result.returncode != 0: | |
| # pip-audit returns non-zero when vulnerabilities are found | |
| error_output = result.stdout + '\n' + result.stderr | |
| # Check if it's an actual vulnerability vs an error | |
| if 'vulnerabilities found' in error_output.lower() or '"dependencies"' in result.stdout: | |
| pytest.fail( | |
| f'pip-audit detected security vulnerabilities!\n\n' | |
| f'Output:\n{result.stdout}\n\n' | |
| f'Please review and update vulnerable packages.\n' | |
| f'Run manually with: ./venv/bin/python -m pip_audit --ignore-vuln CVE-2025-53000 --skip-editable' | |
| ) | |
| else: | |
| # Some other error occurred | |
| pytest.fail( | |
| f'pip-audit failed to run properly:\n\nReturn code: {result.returncode}\nOutput: {error_output}\n' | |
| ) | |
| # Success - no vulnerabilities found | |
| assert result.returncode == 0, 'pip-audit should return 0 when no vulnerabilities are found' | |
| def test_pip_audit_runs_successfully(): | |
| """ | |
| Verify that pip-audit can run successfully (even if vulnerabilities are found). | |
| This is a smoke test to ensure pip-audit is properly installed and functional. | |
| """ | |
| try: | |
| result = subprocess.run( | |
| [sys.executable, '-m', 'pip_audit', '--version'], | |
| capture_output=True, | |
| text=True, | |
| timeout=10, | |
| ) | |
| assert result.returncode == 0, f'pip-audit --version failed: {result.stderr}' | |
| assert 'pip-audit' in result.stdout.lower(), 'pip-audit version output unexpected' | |
| except FileNotFoundError: | |
| pytest.fail('pip-audit not installed') | |
| except subprocess.TimeoutExpired: | |
| pytest.fail('pip-audit --version timed out') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment