audit Module (stx.audit)
SciTeX Audit Module
Unified security scanning by orchestrating bandit (Python), shellcheck (shell), pip-audit (deps), and GitHub alerts.
- Usage:
from scitex_audit import audit, check_github_alerts
results = audit(“.”) results = audit(“.”, checks=[“python”, “shell”])
# GitHub alerts directly (absorbed from scitex-security per ADR-0001): alerts = check_github_alerts()
- scitex.audit.audit(path='.', checks=None, output_file=None)[source]
Run security audit across multiple tools.
- Parameters:
- Returns:
Keys are check names, values have {status, findings, summary}.
- Return type:
- exception scitex.audit.GitHubSecurityError[source]
Bases:
ExceptionRaised when GitHub security operations fail.
- scitex.audit.check_github_alerts(repo=None, *, auth_check=None, secrets_fn=None, dependabot_fn=None, code_scanning_fn=None)[source]
Check all GitHub security alerts.
- Parameters:
repo (
Optional[str]) – Repository in format ‘owner/repo’. If None, uses current repo.auth_check (
Optional[Callable[[],bool]]) –check_gh_auth-shaped callable. Override in tests.secrets_fn (
Optional[Callable]) –get_secret_alerts-shaped callable. Override in tests.dependabot_fn (
Optional[Callable]) –get_dependabot_alerts-shaped callable. Override in tests.code_scanning_fn (
Optional[Callable]) –get_code_scanning_alerts-shaped callable. Override in tests.
- Returns:
‘secrets’, ‘dependabot’, ‘code_scanning’
- Return type:
Dictionary with keys
- Raises:
GitHubSecurityError – If GitHub CLI is not installed or not authenticated
- scitex.audit.get_latest_alerts_file(security_dir=None)[source]
Get path to the latest security alerts file.
- scitex.audit.save_alerts_to_file(alerts, output_dir=None, create_symlink=True)[source]
Save alerts to a timestamped file.
- Parameters:
alerts (
Dict[str,List[Dict]]) – Dictionary of alerts from check_github_alerts()output_dir (
Optional[Path]) – Directory to save file. Defaults to~/.scitex/audit/github-alerts/runtime/(or the project- scope equivalent when inside a git repo, or$SCITEX_AUDIT_DIR).create_symlink (
bool) – If True, create ‘security-latest.txt’ symlink
- Return type:
- Returns:
Path to saved file