From 48fe2f68790064b7361dbc1584e58e0e203f214a Mon Sep 17 00:00:00 2001
From: Alexander Hess <alexander@webartifex.biz>
Date: Tue, 4 Aug 2020 23:16:15 +0200
Subject: [PATCH] Add security checks for the dependencies

- add a nox session "safety"
---
 noxfile.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/noxfile.py b/noxfile.py
index b743fb8..8fdfc1f 100644
--- a/noxfile.py
+++ b/noxfile.py
@@ -36,6 +36,7 @@ nox.options.sessions = (
     'lint',
     f'test-{MAIN_PYTHON}',
     f'test-{NEXT_PYTHON}',
+    'safety',
 )
 
 
@@ -197,6 +198,27 @@ def pre_merge(session):
     test(session)
 
 
+@nox.session(python=MAIN_PYTHON)
+def safety(session):
+    """Check the dependencies for known security vulnerabilities."""
+    _begin(session)
+    # We do not pin the version of `safety` to always check with
+    # the latest version. The risk this breaks the CI is rather low.
+    session.install('safety')
+    with tempfile.NamedTemporaryFile() as requirements_txt:
+        session.run(
+            'poetry',
+            'export',
+            '--dev',
+            '--format=requirements.txt',
+            f'--output={requirements_txt.name}',
+            external=True,
+        )
+        session.run(
+            'safety', 'check', f'--file={requirements_txt.name}', '--full-report',
+        )
+
+
 def _begin(session):
     """Show generic info about a session."""
     if session.posargs: