Close Pygments audit exception

[seonghobae]

Summary

• Locks Pygments to 2.20.0 and removes the stale GHSA-5239-wwwm-4pmq pip-audit exception.
• Runs Python dependency audit against the synced uv environment with pip-audit --local --strict to avoid resolver/ensurepip toolchain failures while keeping the strict gate.
• Updates upload-sarif SHA pins in trivy and ossf-scorecard to github/codeql-action v4.35.2 while preserving immutable SHA pinning.

Fixes part of #194.

Verification

• uv run --project services/analysis-engine pytest services/analysis-engine/tests/test_supply_chain_policy.py -q → 46 passed
• python3 scripts/checks/verify_supply_chain.py → passed
• python3 scripts/checks/security_gates.py → passed
• python3 scripts/checks/verify_docs.py → passed
• uv run --project services/analysis-engine --with pip-audit==2.8.0 pip-audit --local --strict → No known vulnerabilities found

Security Notes

• No security gates were disabled or downgraded.
• The removed vulnerability exception had a patched version available; regression coverage now guards against reintroducing the stale ignore or vulnerable Pygments lock.
• GitHub Actions remain pinned to immutable SHAs; comments retain the reviewed action version for auditability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c428fa1b-cda7-4376-a6da-74ec2abd47c4

📥 Commits

Reviewing files that changed from the base of the PR and between 7262b32 and 198bc39.

📒 Files selected for processing (1)

• services/analysis-engine/tests/test_supply_chain_policy.py

---

📝 Walkthrough

Summary by CodeRabbit

릴리스 노트

• Chores

  • GitHub Actions SARIF 업로드 액션들의 참조를 최신 커밋(v4.35.2)으로 업데이트
  • Python 의존성 감사 절차 간소화: 서비스 환경에서 직접 pip-audit --local --strict 실행하도록 변경 및 기존 특정 취약점 무시 제거

• Documentation

  • 취약점 예외 처리 문서 갱신: 특정 예외 제거 및 Pygments 버전(2.20.0) 고정 명시

• Tests

  • 보안 감사 워크플로우·문서·잠금 파일 일관성 검증 회귀 테스트 추가

Walkthrough

GitHub Actions SARIF 업로드 액션의 고정 커밋 SHA 업데이트, security-audit 워크플로우에서 pip-audit을 uv 환경에서 직접 실행하도록 간소화 및 Pygments 관련 CI 예외 제거, 문서 갱신 및 이를 검증하는 회귀 테스트 추가.

Changes

Cohort / File(s)	Summary
SARIF 업로드 액션 업데이트 ​.github/workflows/ossf-scorecard.yml, ​.github/workflows/trivy.yml	github/codeql-action/upload-sarif의 고정 커밋 SHA를 v4.34.1 → v4.35.2로 변경 (조건 및 sarif 입력은 동일).
보안 감사 워크플로우 ​.github/workflows/security-audit.yml	pip-audit 실행을 요구사항 파일 생성 방식에서 uv run ... pip-audit --local --strict로 변경하고 CI에서 특정 GHSA 무시 항목(GHSA-5239-wwwm-4pmq) 제거.
문서: 취약점 예외 및 정책 docs/security/dependency-policy.md	Pygments 관련 GHSA 예외 문구 제거 및 Pygments가 2.20.0으로 고정되었음을 반영하도록 문서 갱신.
공급망/보안 회귀 테스트 추가 services/analysis-engine/tests/test_supply_chain_policy.py	security-audit 워크플로우 호출 방식과 무시 항목 비포함을 검증하고 services/analysis-engine/uv.lock에서 Pygments가 2.20.0으로 고정되었는지 확인하는 테스트 함수 추가.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(security): resolve OSSF Scorecard alerts #96: security-audit 워크플로우에서 pip-audit을 uv 환경으로 실행하도록 변경한 PR로 직접적인 관련성 있음.
• chore: patch npm audit vulnerabilities and restore canonical docs #81: GHSA-5239 (Pygments) 예외 추가/제거 관련 변경 사항을 포함하여 충돌 가능성이 있음.
• Add Trivy filesystem scan to GitHub Actions #83: trivy 워크플로우의 SARIF 업로드 구성 변경과 연관된 PR.

시

🐰 새 액션에 깃털을 고치고,
낡은 예외는 조용히 놓아주네,
pygments는 2.20.0에 묶였고,
검사는 uv에서 엄격히 돌리네,
테스트는 토끼발로 확인했지! 🥕✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR 제목 '닫기 Pygments 감사 예외'는 변경 사항의 주요 목표를 명확하게 요약합니다: 오래된 pip-audit 예외를 제거하고 Pygments를 고정하는 것입니다.
Description check	✅ Passed	PR 설명은 변경 사항과 관련이 있으며, Pygments 잠금, pip-audit 설정 변경, GitHub Actions SHA 업데이트, 검증 결과 및 보안 노트를 포함합니다.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stepwise/default-warning-audit

---

_{Review rate limit: 3/5 reviews remaining, refill in 18 minutes and 27 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/trivy.yml:
- Line 36: 현재 사용 중인 action pin
"github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"이
v4.35.2 태그의 실제 SHA와 불일치합니다; 업데이트하려면 해당 action reference를 찾아
"github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225"를
v4.35.2 태그의 실제 SHA인 "7fc6561ed893d15cec696e062df840b21db27eb0"로 교체하거나(권장) 변경 이유를
주석으로 명확히 남겨 다른 SHA를 사용할 정당성을 문서화하세요.

In `@services/analysis-engine/tests/test_supply_chain_policy.py`:
- Around line 105-110: Replace the fragile substring assertions against the
uv.lock contents with a real TOML parse of the lockfile string (the
python_lockfile variable) and assert the parsed package entry for "pygments" has
version "2.20.0" and not "2.19.2"; implement by loading python_lockfile via a
TOML parser (tomllib for Python ≥3.11 or tomli as a fallback), navigate to the
packages table/list that contains package name/version entries, find the entry
where name == "pygments" and assert its version equals "2.20.0" and not "2.19.2"
(replace the current string membership checks for pygments with these parsed
checks).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a9f93ba6-b37f-4bfe-ae5e-ae32226453ee

📥 Commits

Reviewing files that changed from the base of the PR and between 7007825 and f1adf62.

⛔ Files ignored due to path filters (1)

• services/analysis-engine/uv.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/ossf-scorecard.yml
• .github/workflows/security-audit.yml
• .github/workflows/trivy.yml
• docs/security/dependency-policy.md
• services/analysis-engine/tests/test_supply_chain_policy.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/analysis-engine/tests/test_supply_chain_policy.py`:
- Around line 5-7: The import block in test_supply_chain_policy.py is misordered
causing Ruff I001; reorder and group the imports per PEP8/Ruff: standard library
first (re, importlib), then third-party, then local, and sort alphabetically
within groups — specifically change the lines importing re, importlib, and Path
from pathlib so they follow alphabetical/grouped order (i.e., import importlib,
import re, from pathlib import Path or standard-library alphabetical order) to
resolve the I001 lint error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 38ca91a9-2ef5-42c9-8498-f63f2297bea3

📥 Commits

Reviewing files that changed from the base of the PR and between f1adf62 and be2431c.

📒 Files selected for processing (3)

• .github/workflows/ossf-scorecard.yml
• .github/workflows/trivy.yml
• services/analysis-engine/tests/test_supply_chain_policy.py

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@services/analysis-engine/tests/test_supply_chain_policy.py`:
- Around line 106-109: The test currently only checks dependency_policy for the
pip-audit flags, so add an assertion that verifies the workflow string also
contains the same flags to prevent false positives; specifically, in
services/analysis-engine/tests/test_supply_chain_policy.py update the test to
assert that the variable workflow includes "pip-audit --local --strict" (similar
to the existing check on dependency_policy) so the workflow and
dependency_policy are both validated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a1552954-64ea-47bd-a790-a4cd0da063f1

📥 Commits

Reviewing files that changed from the base of the PR and between be2431c and 7262b32.

📒 Files selected for processing (1)

• services/analysis-engine/tests/test_supply_chain_policy.py

[seonghobae]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved and changes approved.