feat(ci): add pip-audit dependency CVE scanning

[WilliamBerryiii]

Summary

Add pip-audit as a CI step to scan the PowerPoint skill's Python dependencies for known CVEs. The codebase depends on libraries with C extensions (pymupdf, lxml) and complex XML processing (python-pptx, pyyaml) where dependency vulnerabilities represent a significant risk vector. CodeQL does not cover dependency vulnerabilities — it provides SAST for the project's own code only.

Context

This is Phase 2 of the Python Security Testing & Fuzzing Initiative. pip-audit was selected because:

• Uses fully open vulnerability databases (PyPI Advisory Database, OSV) with no paid tier
• Maintained by Trail of Bits and PyPA
• Simple CLI integration — single command in CI
• Covers CVEs in C extensions (PyMuPDF/MuPDF, lxml) that cannot be caught by Python-level testing
• Selected over Safety CLI which requires payment for full vulnerability database coverage

Implementation

CI Integration

Add to an existing or new workflow (e.g., .github/workflows/python-security.yml):

- name: Run pip-audit dependency scan
  run: |
    pip install pip-audit
    pip-audit -r .github/skills/experimental/powerpoint/pyproject.toml -f json -o logs/pip-audit-results.json

Dependencies Scanned

The following dependencies in .github/skills/experimental/powerpoint/pyproject.toml will be covered:

Dependency	Risk Profile	Notes
python-pptx	Medium — XML processing	Parses Office Open XML format
pyyaml	Medium — deserialization	safe_load mitigates most risks but library CVEs still apply
pymupdf	High — C extension (MuPDF)	PDF processing with known CVE history in MuPDF
lxml	High — C extension (libxml2)	XML parsing with XXE attack surface
github-copilot-sdk	Low	API client
cairosvg	Medium — C extension	Listed in deps but currently unused
Pillow	Medium — C extension	Listed in deps but currently unused

Output

Results are written to logs/pip-audit-results.json following the project convention for validation output (gitignored logs/ directory).

RPI Framework

task-researcher

• Determine the appropriate workflow file for the pip-audit step (existing pr-validation.yml or new python-security.yml)
• Check if pip-audit supports pyproject.toml directly or requires requirements.txt generation
• Evaluate pip-audit configuration options (vulnerability sources, severity thresholds, output formats)
• Check if the project has a uv lock file that pip-audit can consume

task-planner

• Design the workflow step placement (separate job vs step in existing job)
• Define failure thresholds (fail on any CVE vs severity-based)
• Plan logs/ output format consistent with other validation scripts
• Decide on pip-audit version pinning strategy

task-implementor

• Add pip-audit CI step to the appropriate workflow file
• Configure JSON output to logs/pip-audit-results.json
• Set appropriate failure thresholds
• Add npm run script for local execution consistency (if applicable)
• Test with current dependency set to establish baseline
• Document the security scanning coverage in project docs

Acceptance Criteria

• pip-audit runs in CI on every PR that modifies PowerPoint skill files
• Scan covers all dependencies in .github/skills/experimental/powerpoint/pyproject.toml
• Results are written to logs/pip-audit-results.json in JSON format
• CI fails when known CVEs are detected (configurable severity threshold)
• pip-audit version is pinned for reproducibility
• No false positives from unused dependencies (cairosvg, Pillow) block CI
• Local execution path is documented or scripted

[WilliamBerryiii]

Dependencies:

• Related: security(powerpoint): lxml XXE vector in extract_content.py theme color resolution #1014 (lxml XXE) — pip-audit covers lxml CVEs as part of dependency scanning
• Related: security(powerpoint): PyMuPDF C extension attack surface in PDF processing #1018 (PyMuPDF C extension) — pip-audit covers MuPDF CVEs, the primary motivation for this CI step