From 4a9ebccec33fe0ad3deae7d49ea3c9c9a2deb69c Mon Sep 17 00:00:00 2001
From: Aryamanz29 <aryamanz29@gmail.com>
Date: Thu, 2 Jan 2025 17:00:17 +0530
Subject: [PATCH] FT-876: Added `OSV` vulnerability-scan job to the CI

---
 .github/workflows/pyatlan-pr.yaml | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/pyatlan-pr.yaml b/.github/workflows/pyatlan-pr.yaml
index 384f64a3d..e75aa7cae 100644
--- a/.github/workflows/pyatlan-pr.yaml
+++ b/.github/workflows/pyatlan-pr.yaml
@@ -5,7 +5,35 @@ on:
   workflow_dispatch:
 
 jobs:
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.8, 3.9]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - uses: pypa/gh-action-pip-audit@v1.1.0
+        with:
+            # Since we used pytest for dev
+            # ("py" -> library is in maintenance mode)
+            # We can ignore this vulnerability here
+            # Reference: https://github.com/pytest-dev/py
+            ignore-vulns: |
+              PYSEC-2022-42969
+            summary: true
+            vulnerability-service: osv
+            inputs: requirements.txt requirements-dev.txt
+
   qa-checks-and-unit-tests:
+    needs: [vulnerability-scan]
     runs-on: ubuntu-latest
     outputs:
       files: ${{ steps.distribute-integration-test-files.outputs.files }}
@@ -50,7 +78,7 @@ jobs:
           echo "files=$json_files" >> $GITHUB_OUTPUT
 
   integration-tests:
-    needs: [qa-checks-and-unit-tests]
+    needs: [vulnerability-scan, qa-checks-and-unit-tests]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false