Skip to content

Dependency scan

Dependency scan #90

Workflow file for this run

# Copyright (c) 2026 Santander Group
# SPDX-License-Identifier: Apache-2.0
#
# Dependency vulnerability scan with pip-audit.
# The core install has no required runtime dependencies; this installs the
# optional vendor SDK extras and audits the resolved environment so that
# advisories in the optional adapters are still surfaced.
name: Dependency scan
on:
push:
branches: [main, development]
pull_request:
schedule:
- cron: "37 4 * * *" # daily 04:37 UTC
permissions:
contents: read
jobs:
pip-audit:
name: pip-audit
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Set up Python
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.11"
cache: pip
- name: Install package with all extras
run: |
python -m pip install --upgrade pip "setuptools>=83.0.0"
pip install -e ".[all]"
- name: Run pip-audit
uses: pypa/gh-action-pip-audit@1220774d901786e6f652ae159f7b6bc8fea6d266 # v1.1.0
with:
local: true
vulnerability-service: osv