brew-pip-audit: Bulk auditing Python dependencies in Homebrew with pip-audit

Homebrew is a popular package manager for macOS. Many of the projects it packages are written in Python. In order to ensure reproducible builds, Homebrew precisely pins the version of each Python package a Homebrew formula depends on.

pip-audit is a tool for checking a Python project's dependencies against vulnerability databases in order to determine if there are any known vulnerabilities.

This project takes all of the Python packages depended on by Homebrew formulas and runs them through pip-audit. It then takes those audit results and uses them to submit patches to Homebrew.

The repo

The following things can be found in this repository:

• formula2requirements.rb: Extracts the Python dependencies from Homebrew and writes them out in the requirements.txt format.
• pip-audit-bulk: Runs pip-audit over a directory of requirements.txt files.
• generate-prs.rb: Automatically generates PRs against Homebrew/homebrew-core for formulae with vulnerable dependencies.
• requirements/: The extracted requirements.txt file for each Homebrew formula.
• audits/: The result of pip-audit for each Homebrew formula. There will only be a file present if vulnerabilities were found.

requirements/ and audits/ are automatically refreshed on a daily basis by Github Actions.

Contributing

This repository is automated, but the automation isn't perfect. You can help out by:

• Looking at the skipped file, and trying to figure out why a particular dependency's audit was skipped.
• Looking at the incoming PRs against Homebrew/homebrew-core, and helping debug ones that fail.
• Improving the performance of our automation (it's currently very slow).
• Looking at the action logs for the PR automation, and helping debug/fix formulae and dependencies that can't be auto-updated.