Add a pip audit command/task

[tonybaloney]

I'm looking for a solution to automatically scan the packages in my selected interpreter for a workspace and raise warning/log messages on the UI when there are security vulnerabilities.

pip-audit is a tool for scanning Python environments for packages
with known vulnerabilities. It uses the Python Packaging Advisory Database
(https://github.com/pypa/advisory-db) via the
PyPI JSON API as a source
of vulnerability reports.

So far, the best I can come up with is a task to run pip-audit on project, but this has to be configured per-project, there is no way I can find to have this for all projects with a configured interpreter.

{
    "version": "2.0.0",
    "tasks": [
        {
            "label": "Pip Audit",
            "type": "shell",
            "command": "${command:python.interpreterPath}",
            "args": ["-m", "pip_audit"],
            "isBackground": true,
            "group": "none",
            "runOptions": {
                "runOn": "folderOpen",
            },
        },
    ]
}

This required a module-entry point for pip-audit, which is implemented but unreleased.

This feature doesn't really fit into the linters integrations, as its not specific to the current file.

Expectations:

1. I can run an audit task on demand via the command pallette
2. Task is run on project open
3. The audit task uses the currently-installed packages in the selected interpreter and reports against the vulnerability database
4. Use of pip-audit not required, if other solutions are available

[karthiknadig]

Thanks for the feature request! We are going to give the community 60 days from when this issue was created to provide 7 👍 upvotes on the opening comment to gauge general interest in this idea. If there's enough upvotes then we will consider this feature request in our future planning. If there's unfortunately not enough upvotes then we will close this issue.

[woodruffw]

One of the pip-audit authors here: thanks for looking into integrating this so rapidly! We're excited to see editors and IDEs use our tool!

[brettcannon]

Thank you to everyone who upvoted this issue! Since the community showed interest in this feature request we will leave this issue open as something to consider implementing at some point in the future.

We do encourage people to continue 👍 the first/opening comment as it helps us prioritize our work based on what the community seems to want the most.

[karthiknadig]

After discussing this feature, we concluded that it would be a better fit as a linter extension. To support this idea, please consider upvoting the related issue on Ruff's GitHub: astral-sh/ruff#8277.

Ruff already has a VS Code extension, so once this feature is integrated, it should automatically become available in that ecosystem.

For those interested in contributing, you can build a dedicated extension with pip-audit using Microsoft's VS Code Python Tools Extension Template.