From 1803a93e98f6a52631286e3814bc5bb384e170ea Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Wed, 24 Sep 2025 10:03:56 +0530
Subject: [PATCH] Scan dependencies for vulnerabilities in CI

---
 .github/workflows/depscan.yml | 37 +++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/workflows/depscan.yml

diff --git a/.github/workflows/depscan.yml b/.github/workflows/depscan.yml
new file mode 100644
index 0000000000..e94a8518ad
--- /dev/null
+++ b/.github/workflows/depscan.yml
@@ -0,0 +1,37 @@
+name: Depscan
+on:
+    push:
+        branches: [master]
+    schedule:
+        - cron: '0 12 * * 5'
+
+env:
+    CI: 'true'
+    ASAN_OPTIONS: detect_leaks=0
+    LC_ALL: en_US.UTF-8
+    LANG: en_US.UTF-8
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
+jobs:
+    dependecy-scanner:
+        name: Scan dependencies for vulnerabilities
+        runs-on: ubuntu-latest
+        steps:
+          - name: Checkout source code
+            uses: actions/checkout@v5
+            with:
+              fetch-depth: 10
+              persist-credentials: false
+
+          - name: Checkout bypy
+            uses: actions/checkout@v5
+            with:
+              fetch-depth: 1
+              persist-credentials: false
+              repository: kovidgoyal/bypy
+              path: bypy-src
+
+          - name: Check dependencies
+            run: python setup/unix-ci.py check-dependencies