run vulnerability scan

Author: Victoria Hall

eng/templates/jobs/build.yml

@@ -21,4 +21,8 @@ jobs:
           python -m pip install .
         displayName: 'Build python worker'
         # Skip the build stage for SDK and Extensions release branches. This stage will fail because pyproject.toml contains the updated (and unreleased) library version
-        condition: and(eq(variables.isSdkRelease, false), eq(variables.isExtensionsRelease, false), eq(variables['USETESTPYTHONSDK'], false), eq(variables['USETESTPYTHONEXTENSIONS'], false))
+        condition: and(eq(variables.isSdkRelease, false), eq(variables.isExtensionsRelease, false), eq(variables['USETESTPYTHONSDK'], false), eq(variables['USETESTPYTHONEXTENSIONS'], false))
+      - bash: |
+          pip install pip-audit
+          pip-audit -r requirements.txt
+        displayName: 'Run vulnerability scan'

pack/templates/macos_64_env_gen.yml

@@ -12,6 +12,10 @@ steps:
   inputs:
     disableAutoCwd: true
     scriptPath: 'pack/scripts/mac_arm64_deps.sh'
+- bash: |
+    pip install pip-audit
+    pip-audit -r requirements.txt
+  displayName: 'Run vulnerability scan'
 - task: CopyFiles@2
   inputs:
     contents: |

pack/templates/nix_env_gen.yml

@@ -12,6 +12,10 @@ steps:
   inputs:
     disableAutoCwd: true
     scriptPath: 'pack/scripts/nix_deps.sh'
+- bash: |
+    pip install pip-audit
+    pip-audit -r requirements.txt
+  displayName: 'Run vulnerability scan'
 - task: CopyFiles@2
   inputs:
     contents: |

pack/templates/win_env_gen.yml

@@ -12,6 +12,10 @@ steps:
 - task: PowerShell@2
   inputs:
     filePath: 'pack\scripts\win_deps.ps1'
+- bash: |
+    pip install pip-audit
+    pip-audit -r requirements.txt
+  displayName: 'Run vulnerability scan'
 - task: CopyFiles@2
   inputs:
     contents: |