Skip to content

doc: update readme#50

Merged
lhoupert merged 2 commits intomainfrom
doc/update-readme-with-news
Mar 30, 2026
Merged

doc: update readme#50
lhoupert merged 2 commits intomainfrom
doc/update-readme-with-news

Conversation

@lhoupert
Copy link
Copy Markdown
Collaborator

@lhoupert lhoupert commented Mar 30, 2026

This pull request significantly expands and clarifies the README.md documentation for the action-python-security-auditing GitHub Action. The updates provide detailed guidance on permissions, usage scenarios for various Python dependency managers, advanced configuration options, and clarify output artifacts and integration with GitHub security features.

The most important changes are:

Permissions and GitHub Integration:

  • Added a new section specifying the required GitHub Actions permissions (contents: read, pull-requests: write, security-events: write) for different features, and clarified when each is needed.
  • Documented that Bandit and pip-audit result sections in PR comments now include direct links to GitHub Code Scanning and Dependabot security alerts, when running in a GitHub repository context.

Usage Examples and Configuration:

  • Expanded usage examples to show how to use the action with various package managers (uv, Poetry, Pipenv, plain requirements), how to scan multiple directories, and how to configure for monorepos or subdirectories via working_directory.
  • Added advanced usage scenarios, including dependency-audit-only mode, strict security gate configuration, gradual adoption (audit-only), scheduled audits on the default branch, and support for multiple workflows posting separate PR comments.

Outputs and Artifacts:

  • Clarified the meaning of each output, especially that the Bandit SARIF report is uploaded both as an artifact and directly to GitHub Code Scanning, making findings visible in the repository’s Security tab if permissions are set.
  • Added documentation for the debug input, explaining how to enable verbose debug logging.

@lhoupert lhoupert merged commit 26fed45 into main Mar 30, 2026
1 check passed
@lhoupert lhoupert deleted the doc/update-readme-with-news branch March 30, 2026 13:11
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026

Security Audit Report

View workflow run

Bandit — Static Security Analysis (Security tab)

12 issue(s) found: 12 low

✅ No issues at or above HIGH severity.

12 low issue(s) below threshold not shown in table.

pip-audit — Dependency Vulnerabilities (Security tab)

Package Version ID Fix Versions Description
pygments 2.19.2 CVE-2026-4539 none A security flaw has been discovered in pygments up to 2.19.2. The impacted element is the function AdlLexer of the file

1 vulnerability/vulnerabilities found (0 fixable) across 1 package(s).

Result: ✅ No blocking issues found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lhoupert