build(workflows): add pip-audit CI dependency scanning

[WilliamBerryiii]

Description

Added Python dependency vulnerability scanning through pip-audit at both CI and local execution levels. A new reusable GitHub Actions workflow audits Python projects via uvx pip-audit@2.10.0, with change-detection optimization that skips audits when no dependency files changed. The workflow integrates into PR validation through a matrix job gated on discovered Python projects.

The existing dependency-review workflow gained a license allowlist of 13 OSI-approved SPDX identifiers and OSSF Scorecard display with a warning threshold. A local PowerShell wrapper (Invoke-PipAudit.ps1) mirrors the CI scanning behavior and exposes an audit:pip npm script for developer use. All new functionality includes 11 Pester tests covering discovery, audit execution, and orchestration paths.

CI Pipeline

The reusable workflow bridges the gap between uv-managed lock files and pip-audit's requirements.txt input using uv export.

• Added pip-audit.yml reusable workflow with working-directory, soft-fail, and changed-files-only inputs
• Implemented dependency-file change detection via git diff scoped to pyproject.toml, uv.lock, and requirements*.txt
• Pinned pip-audit to version 2.10.0, all actions SHA-pinned with version comments
  • actions/checkout v4.2.2, astral-sh/setup-uv v7.5.0, actions/setup-python v6.2.0, actions/upload-artifact v4.4.3
• Uploaded JSON audit results as artifacts with 30-day retention
• Set permissions: contents: read at workflow and job level

PR Validation Integration

• Wired pip-audit into pr-validation.yml as a matrix job calling the reusable workflow
• Gated on discover-python-projects output with fail-fast: false and changed-files-only: true

Dependency Review Hardening

• Added license allowlist to dependency-review.yml covering MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, BlueOak-1.0.0, CC0-1.0, Unlicense, CC-BY-4.0, CC-BY-3.0, PSF-2.0, and Python-2.0
• Enabled OSSF Scorecard display with warning threshold at level 3

Local Execution

• Added Invoke-PipAudit.ps1 with Find-PythonProjects, Invoke-PipAuditForProject, and Start-PipAudit functions
• Used try/finally for temporary requirements file cleanup in Invoke-PipAuditForProject
• Followed existing security-script conventions: comment-based help, copyright header, CIHelpers.psm1 import, dot-source guard
• Added audit:pip npm script to package.json

Testing

• Added 11 Pester tests in Invoke-PipAudit.Tests.ps1 across three describe blocks
• Covered project discovery (5 tests), audit execution (2 tests), and orchestration (4 tests)
• Used TestDrive isolation, CI annotation assertions, and dot-source testing pattern

Related Issue(s)

Closes #1020

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

Testing

All validation passed locally:

• Pester tests: 11/11 passing across Find-PythonProjects, Invoke-PipAuditForProject, and Start-PipAudit describe blocks
• PSScriptAnalyzer: Clean analysis on Invoke-PipAudit.ps1
• YAML validation: All workflow files validated
• Copyright headers: All new files include required headers

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 5.9	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	a309ff8b426b58ec0e2a45f0f869d46889d02405	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 3 4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	🟢 5.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 4 4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits
actions/astral-sh/setup-uv	e06108dd0aef18192324c70427afc47652e63a82	Unknown	Unknown

Scanned Files

• .github/workflows/pip-audit.yml

[codecov-commenter]

Codecov Report

❌ Patch coverage is 95.74468% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.02%. Comparing base (26a32ea) to head (8479b82).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
scripts/security/Invoke-PipAudit.ps1	95.74%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1052      +/-   ##
==========================================
+ Coverage   87.97%   88.02%   +0.04%     
==========================================
  Files          44       45       +1     
  Lines        7835     7882      +47     
==========================================
+ Hits         6893     6938      +45     
- Misses        942      944       +2     

Flag	Coverage Δ
pester	86.91% <95.74%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
scripts/security/Invoke-PipAudit.ps1	95.74% <95.74%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.