Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: databricks/databricks-sql-python
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: databricks/databricks-sql-python
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: vp/security-scan
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 2 commits
  • 2 files changed
  • 1 contributor

Commits on May 21, 2026

  1. Add OSV-Scanner-based security workflow

    Single workflow, single job, three triggers:
      - pull_request to main: fails on CVSS >= 7 findings only
        (HIGH/CRITICAL block merges; MED/LOW visible but non-blocking)
      - cron weekly (Sunday 00:00 UTC): reports ALL findings via email
      - workflow_dispatch: behaves like cron
    
    Mirrors the JDBC driver's security workflow (databricks-jdbc#1460)
    adapted for Python:
      - Reads poetry.lock natively via OSV-Scanner --lockfile (no
        separate SBOM tool needed)
      - Reuses the existing ./.github/actions/setup-jfrog composite action
        for parity with other workflows (the workflow functionally doesn't
        need JFrog since OSV reads the lockfile directly, but keeping the
        composite action preserves the established pattern)
      - Suppressions in osv-scanner.toml ([[IgnoredVulns]] schema)
    
    The workflow is not yet wired into branch protection. Day-one scan
    against current main surfaces 14 HIGH / 10 MED / 1 LOW (25 total) --
    concentrated in cryptography, urllib3, pyjwt, pyarrow, requests,
    black, pytest, python-dotenv, idna. These will be addressed by a
    follow-up dep-bump PR.
    
    Co-authored-by: Isaac
    Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
    vikrantpuppala committed May 21, 2026
    Configuration menu
    Copy the full SHA
    7a66f7f View commit details
    Browse the repository at this point in the history

Commits on Jul 2, 2026

  1. Configuration menu
    Copy the full SHA
    c1ddd69 View commit details
    Browse the repository at this point in the history
Loading