PlannedSecurity · Vuln
Security linting — bandit via ruff S rules
Turn on the flake8-bandit (S) rule family already
bundled in ruff — one line in pyproject.toml, zero new
tools. It catches the Python SAST smells the linter is blind to today:
subprocess(shell=True), assert as a runtime
check, tempfile.mktemp, unsafe yaml.load,
hardcoded secrets and weak hashing. Semgrep Community rules are the
heavier alternative when a finding needs real dataflow.
Complexity S
Impact High
Wow ★★★
0 new deps
PlannedSecurity · Supply chain
Dependency CVE gate — pip-audit
PyPA's pip-audit fails CI when a resolved dependency
matches a known advisory in the OSV / PyPI Advisory database.
Dependabot opens update PRs but never blocks a merge on a live
CVE; a scheduled + PR pip-audit job closes that
gap and covers the dev/test toolchain that ships nothing but can still
run malicious code.
Complexity S
Impact Med
Wow ★★
OSV-backed
PlannedSecurity · Posture
Supply-chain posture — OpenSSF Scorecard
The Scorecard GitHub Action audits ~18 supply-chain signals weekly —
branch protection, token permissions, SHA-pinned actions, dangerous
workflows, signed releases — and publishes results to the Security tab
plus a README badge. Turns "are we set up safely?" into a
tracked, trend-able number for a repo that owns a Trusted-Publisher
release path.
Complexity S
Impact Med
Wow ★★★★
badge-worthy
PlannedSecurity · Secrets
Secret scanning — gitleaks + push protection
Scan the full history and every PR diff for leaked tokens, keys and
PyPI credentials with the free gitleaks action, paired
with GitHub push-protection (free on public repos) so a secret is
blocked before it lands. Cheap insurance for a project whose
release automation trades on trusted identity.
Complexity S
Impact Med
Wow ★★★
pre-commit-able
PlannedQuality · Smell
Complexity & dead-code radar — xenon · vulture
Gate CI on a maintainability grade with xenon (built on
radon) and flag unreachable branches, unused arguments and
orphan helpers with vulture. First target: the
~5,000-line commands/ layer that has no complexity signal
today. Surfaces the structural smells mutation testing can't see.
Complexity M
Impact Med
Wow ★★
commands/ first
PlannedQuality · Platform
Quality dashboard — SonarCloud (free for OSS)
SonarCloud is free for public repos and layers bugs, code smells,
security hotspots, duplication and a coverage overlay into one
dashboard, decorating each PR with a pass/fail quality gate. The
single highest-signal freemium add — one external surface that unifies
everything else in this section.
Complexity M
Impact High
Wow ★★★★★
PR quality gate
PlannedTesting · Bug
Property-based tests — hypothesis on the parsers
Generate adversarial inputs against core/frontmatter and
core/catalog.scan_dir to surface crashes and round-trip
failures the example-based unit tests never think to try — a
dump→parse must round-trip; a scan must never
raise on arbitrary bytes. Complements the gate: mutmut proves the tests
are strict, Hypothesis proves the inputs are wide.
Complexity M
Impact High
Wow ★★★★
finds edge cases
PlannedTesting · Bug
Coverage-guided fuzzing — atheris / OSS-Fuzz
Google's atheris fuzzes the frontmatter and registry
parsers under coverage guidance to mine deep crash inputs; OSS-Fuzz
runs it continuously for free once boost qualifies as an open-source
project. The stretch goal — the highest ceiling for finding the bug
nobody thought to write a test for.
Complexity L
Impact Med
Wow ★★★★
stretch