ContextualWisdomLab · seonghobae · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026 · Apr 30, 2026
@@ -33,7 +33,7 @@ jobs:
           name: ossf-scorecard-results
           path: results.sarif
           retention-days: 5
-      - uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+      - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 peeled commit; SHA pinning retained as supply-chain attack mitigation.
         if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
         with:
           sarif_file: results.sarif
@@ -35,12 +35,8 @@ jobs:
         run: npm audit --workspaces --audit-level=high
       - name: Sync Python dependencies
         run: uv sync --project services/analysis-engine --group dev --frozen
-      - name: Export Python lock for audit
-        working-directory: services/analysis-engine
-        run: uv export --frozen --no-emit-project --format requirements-txt --no-hashes --output-file requirements-audit.txt
       - name: Audit Python dependencies
-        working-directory: services/analysis-engine
-        run: uvx pip-audit==2.8.0 -r requirements-audit.txt --strict --ignore-vuln GHSA-5239-wwwm-4pmq
+        run: uv run --project services/analysis-engine --with pip-audit==2.8.0 pip-audit --local --strict
       - name: Install stable Rust toolchain
         run: rustup toolchain install stable --profile minimal
       - name: Install cargo-audit

@@ -33,7 +33,7 @@ jobs:
           limit-severities-for-sarif: true
           exit-code: '1'
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 peeled commit; SHA pinning retained as supply-chain attack mitigation.
         if: always()
         with:
           sarif_file: trivy-results.sarif
@@ -99,9 +99,9 @@ Exceptions are allowed only when no patched version exists and the advisory is n
 - exceptions must be encoded in repo-controlled workflow/config (not ad-hoc local commands)
 - exceptions must be reviewed and removed once a patched version becomes available
 
-Current controlled exception:
+Current controlled exceptions:
 
-- `GHSA-5239-wwwm-4pmq` (`Pygments <=2.19.2`) in Python dev/test dependency path; no patched version is available at this time, impact is low/local-access ReDoS, and BandScope does not expose Pygments parsing on untrusted runtime input paths. The CI `security-audit` workflow applies a targeted ignore for this advisory only.
+- No Python vulnerability exceptions are active. `GHSA-5239-wwwm-4pmq` (`Pygments <2.20.0`) was removed by locking `Pygments` to `2.20.0`; the CI `security-audit` workflow must run `pip-audit --local --strict` against the synced `uv` environment without a targeted ignore for that advisory.
 - Cargo audit warnings for legacy `gtk3`, `glib`, and `fxhash` vulnerabilities (e.g. `RUSTSEC-2024-0413`, `RUSTSEC-2024-0429`, `RUSTSEC-2025-0057`) inherited through Tauri v2 `wry`/`webkit2gtk` integration are explicitly allowed. These are deep framework dependencies with no alternative, so they are documented exceptions and ignored by default.
 
 Tracked third-party deprecation signal:

@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import importlib
 import re
 from pathlib import Path
 
@@ -89,6 +90,34 @@ def test_build_baseline_upload_artifact_pins_are_consistent() -> None:
     assert len(set(pins)) == 1
 
 
+def test_python_security_audit_does_not_ignore_patched_pygments_advisory() -> None:
+    """Ensure patched Python advisories are not left as stale audit ignores."""
+    repo_root = Path(__file__).resolve().parents[3]
+    workflow = (repo_root / ".github" / "workflows" / "security-audit.yml").read_text(
+        encoding="utf-8"
+    )
+    dependency_policy = (repo_root / "docs" / "security" / "dependency-policy.md").read_text(
+        encoding="utf-8"
+    )
+    python_lockfile = (repo_root / "services" / "analysis-engine" / "uv.lock").read_text(
+        encoding="utf-8"
+    )
+
+    assert "--ignore-vuln GHSA-5239-wwwm-4pmq" not in workflow
+    assert "uv run --project services/analysis-engine --with pip-audit==2.8.0" in workflow
+    assert "pip-audit --local --strict" in workflow
+    assert "Pygments <2.20.0" in dependency_policy
+    assert "pip-audit --local --strict" in dependency_policy
+    tomllib = importlib.import_module("tomllib")
+    lock = tomllib.loads(python_lockfile)
+    packages = lock.get("package", [])
+    pygments = [package for package in packages if package.get("name") == "pygments"]
+
+    assert len(pygments) == 1
+    assert pygments[0].get("version") == "2.20.0"
+    assert all(package.get("version") != "2.19.2" for package in pygments)
+
+
 def test_supply_chain_check_requires_ossf_default_branch_guard(
     monkeypatch: pytest.MonkeyPatch, tmp_path: Path
 ) -> None: