Skip to content

feat: add ignore-vulns input to _python-security workflow#233

Merged
JacobPEvans merged 2 commits intomainfrom
feat/pip-audit-ignore-vulns
Apr 26, 2026
Merged

feat: add ignore-vulns input to _python-security workflow#233
JacobPEvans merged 2 commits intomainfrom
feat/pip-audit-ignore-vulns

Conversation

@JacobPEvans
Copy link
Copy Markdown
Owner

@JacobPEvans JacobPEvans commented Apr 25, 2026

Summary

  • Add an optional ignore-vulns input to the _python-security.yml reusable workflow. Each space-separated ID is passed to pip-audit --ignore-vuln.
  • Extract audit logic to scripts/run-pip-audit.sh (workflow linter blocks complex inline bash). Fetched via sparse checkout from the same .github repo at runtime.

Why

Calling repos can acknowledge specific transitive vulnerabilities with no upstream fix — narrow per-CVE acceptance, not blanket disable. Each ignored ID is documented in the calling repo's ci-gate.yml with a comment linking to a tracking issue.

Triggered by JacobPEvans/mlx-benchmarks#19: lm-eval[api]==0.4.11 transitively depends on sqlitedict 2.1.0 (GHSA-g4r7-86gm-pgqc / CVE-2024-35515), no upstream patch. CVE is local-deserialization; dep is in lm-eval's caching layer only.

Behavior

  • ignore-vulns is optional; existing callers continue to work unchanged.
  • New findings always fail the build — only IDs in the explicit list are skipped.
  • Ignored IDs should be documented in the calling repo with a tracking issue.

Test plan

  • Workflow YAML syntax (actionlint)
  • After merge: mlx-benchmarks#19 validates end-to-end

@JacobPEvans
feat: add ignore-vulns input to _python-security reusable workflow
3522a2c 
Allows calling repos to acknowledge specific transitive vulnerabilities
that have no upstream fix available, while continuing to enforce
pip-audit for all other findings.

Each ignored ID is documented in the calling repo's ci-gate.yml call site
with a comment linking to a tracking issue. This is per-CVE acceptance,
not a blanket disable — new findings still fail the build.

Triggered by mlx-benchmarks: lm-eval[api]==0.4.11 transitively depends
on sqlitedict 2.1.0 (GHSA-g4r7-86gm-pgqc / CVE-2024-35515) which has no
upstream patch. The CVE is local-deserialization and the dep is loaded
only inside lm-eval's caching layer in CI-isolated workloads.

The audit logic moved into scripts/run-pip-audit.sh because the workflow
linter blocks complex inline bash. The script is fetched via sparse
checkout from the same .github repo at workflow runtime.
Copilot AI review requested due to automatic review settings April 25, 2026 23:53
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 25, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the _python-security reusable workflow by introducing the ability to ignore specific, documented vulnerabilities. This allows teams to acknowledge and bypass known transitive dependency issues that lack upstream fixes, while maintaining strict security enforcement for all other findings.

Highlights

  • New ignore-vulns input: Added an optional ignore-vulns input to the _python-security.yml workflow to allow skipping specific vulnerability IDs.
  • Audit logic extraction: Moved complex pip-audit logic into a new standalone script at scripts/run-pip-audit.sh to improve maintainability and bypass workflow linter constraints.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/_python-security.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

The audit runs with careful eyes, / To catch the bugs that we despise. / But when a fix is nowhere near, / We add an ignore to keep it clear.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

JacobPEvans added a commit to JacobPEvans/mlx-benchmarks that referenced this pull request Apr 25, 2026
@JacobPEvans
fix: add narrow OSV/pip-audit suppression for sqlitedict CVE
85dcf0d 
Final CI Gate fix: add documented per-CVE acknowledgement for
GHSA-g4r7-86gm-pgqc (sqlitedict 2.1.0 / CVE-2024-35515) — the unfixable
lm-eval transitive dep flagged on every CI run.

- `osv-scanner.toml`: local override config picked up by the central
  `_osv-scan.yml` reusable workflow. ignoreUntil set to 2026-10-25 to
  force a quarterly review. Reason links to tracking issue #18 and
  documents the exploitability surface.

- `ci-gate.yml`: pass `ignore-vulns: GHSA-g4r7-86gm-pgqc` to the
  `_python-security.yml` reusable workflow. Same documentation pattern
  — comment block above the ID lists the tracking issue, source dep,
  and exploitability assessment.

Both are narrow per-CVE acceptance, not blanket suppressions. New
findings still fail the build. The new `ignore-vulns` input is added
to the central workflow in JacobPEvans/.github#233 — once that merges,
this PR's CI will go green.

Refs: #18 (lm-eval transitive vulns tracking issue),
JacobPEvans/.github#233 (central workflow input).
Copilot AI reviewed Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an optional ignore-vulns input to the reusable Python security workflow and moves the pip-audit execution logic into a centralized script fetched at runtime.

Changes:

  • Introduces ignore-vulns workflow input and passes it through to the audit runner.
  • Extracts the inline audit loop into scripts/run-pip-audit.sh.
  • Adds a sparse-checkout step to fetch the centralized audit script before running it.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
scripts/run-pip-audit.sh New Bash helper to run uv export + uvx pip-audit across directories with optional ignored vuln IDs.
.github/workflows/_python-security.yml Adds ignore-vulns input, checks out central script, and executes it instead of inline Bash.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/run-pip-audit.sh Outdated
Comment thread scripts/run-pip-audit.sh Outdated
Comment thread .github/workflows/_python-security.yml
@JacobPEvans
fix: address copilot review on run-pip-audit.sh
d2ebc4f 
Two improvements from copilot review on PR #233:

- Use a Bash array (`ignore_args+=(--ignore-vuln "$vuln")`) instead of a
  string with intentional word splitting. Removes the SC2086 disable and
  is more robust against future vulnerability IDs that might contain
  whitespace or special characters.

- Wrap each scan iteration in a subshell with
  `trap 'echo "::endgroup::"' EXIT`. Guarantees the GitHub Actions log
  group is closed even if `uv export` or `uvx pip-audit` exits non-zero
  under `set -e`.

The third copilot comment (pin checkout ref) follows the same unpinned
pattern already in `_osv-scan.yml` and is not addressed here — that's a
separate org-wide consistency change.
@JacobPEvans JacobPEvans merged commit 632931d into main Apr 26, 2026
2 checks passed
JacobPEvans added a commit to JacobPEvans/mlx-benchmarks that referenced this pull request Apr 26, 2026
@JacobPEvans
chore: re-trigger CI after JacobPEvans/.github#233 merged
8013a07 
The previous run failed with startup_failure because
`_python-security.yml@main` did not yet declare the `ignore-vulns`
input that ci-gate.yml passes. That input shipped in the merged
`feat: add ignore-vulns input` PR. No code changes here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JacobPEvans