Roadmap: `uv audit`

[woodruffw]

This is a roadmap/tracking issue for uv audit, including both MVP and post-MVP tracks.

For previous context, see #9189 and #18119.

MVP tasks

• Core CLI scaffolding (this PR)
  • Make universal the default for uv audit #18185
• Audit core (probably a new uv-audit crate): Add a uv-audit crate #18124
• Bulk dependency audits with OSV: Switch to batched OSV queries for uv audit #18394
  • Concurrency controls for bulk fetches should honor the user's CLI settings Plumb top-level concurrency into uv audit #18407
• Result presentation
  • Output/report formatting for uv audit #18193
  • Add links to uv audit output #18392
• Workspace members should not be audited: Filter down to auditable packages #18322
• Groups, extras, etc. should be filtered correctly: Evaluate extras and groups when determining auditable packages #18511
• uv audit should exit with non-zero when there are findings: Exit with nonzero on audit findings #18512
• Unhide uv audit: Unhide uv audit #18540
• Add --service-format and --service-url to uv audit #18571
• Integration tests: Integration tests for uv audit #18673

Post-MVP tasks

• Support for pylock.toml (ref Support passing pylock.toml files into uv audit #18422)
• Support for (locked, hashed) requirements.txt
• Support for machine-readable output formats (e.g. JSON)
• --fix mode
• "Adverse status" reporting per Support for PEP 792 #15254
• Support for other vulnerability DB sources (e.g. PyPI/PYSEC, ecosyste.ms, others?)
• Support ignoring vulnerabilities via CLI and config: uv audit: --ignore and --ignore-until-fixed #18737

[fniessink]

Will there be an option to ignore specific vulnerabilities, like the --ignore-vuln option of pip-audit?

[andrew-monroe]

This is great! Our team is excited to see vulnerability-checking come through uv natively.

Thanks working on this!

[woodruffw]

Will there be an option to ignore specific vulnerabilities, like the --ignore-vuln option of pip-audit?

Yeah, I'll add a roadmap item for that.