exasol · ArBridgeman · Apr 14, 2026 · Apr 5, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml
@@ -2,6 +2,12 @@ name: Merge-Gate
 
 on:
   workflow_call:
+    inputs:
+      root-event:
+        description: GitHub event triggering the root workflow ci.yml
+        required: false
+        type: string
+        default: unknown
 
 jobs:
   run-fast-checks:
@@ -15,12 +21,15 @@ jobs:
     needs:
       - run-fast-checks
     uses: ./.github/workflows/report.yml
+    with:
+      upload-metrics: false
     secrets: inherit
     permissions:
       contents: read
 
   approve-run-slow-tests:
     name: Approve Running Slow Tests?
+    if: ${{ inputs.root-event != 'schedule' }}
     runs-on: "ubuntu-24.04"
     permissions:
       contents: read

diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
diff --git a/doc/changes/changes_0.15.0.md b/doc/changes/changes_0.15.0.md
@@ -24,5 +24,5 @@
 
 ## 🔩 Internal
 
-* Update depdency constraints
-* Relock dependencies
+* Update dependency constraints
+* Relock dependencies
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -11,6 +11,8 @@ The `report.yml` is also called after the `checks.yml` completes. This allows us
 to get linting, security, and unit test coverage before running the `slow-checks.yml`,
 as described in the [Pull Request description](https://exasol.github.io/python-toolbox/main/user_guide/features/github_workflows/index.html#pull-request).
 
+This release also adds a `vulnerabilities:resolved` Nox session, which reports GitHub security issues resolved since the last release.
+
 This release fixes a vulnerability by updating the `poetry.lock` file.
 
 | Name   | Version | ID             | Fix Versions | Updated to |
@@ -19,6 +21,10 @@ This release fixes a vulnerability by updating the `poetry.lock` file.
 
 To ensure usage of secure packages, it is up to the user to similarly relock their dependencies.
 
+## Features
+
+* #402: Created nox session `vulnerabilities:resolved` to report resolved GitHub security issues
+
 ## Refactoring
 
 * #764: Updated `action/upload-pages-artifact` from v4 to [v5](https://github.com/actions/upload-pages-artifact/releases/tag/v5.0.0)

diff --git a/doc/user_guide/features/managing_dependencies.rst b/doc/user_guide/features/managing_dependencies.rst
@@ -1,12 +1,17 @@
-Managing dependencies
-=====================
+Managing Dependencies and Vulnerabilities
+=========================================
 
-+--------------------------+------------------+----------------------------------------+
-| Nox session              | CI Usage         | Action                                 |
-+==========================+==================+========================================+
-| ``dependency:licenses``  | ``report.yml``   | Uses ``pip-licenses`` to return        |
-|                          |                  | packages with their licenses           |
-+--------------------------+------------------+----------------------------------------+
-| ``dependency:audit``     | No               | Uses ``pip-audit`` to return active    |
-|                          |                  | vulnerabilities in our dependencies    |
-+--------------------------+------------------+----------------------------------------+
++------------------------------+----------------+-------------------------------------+
+| Nox session                  | CI Usage       | Action                              |
++==============================+================+=====================================+
+| ``dependency:licenses``      | ``report.yml`` | Uses ``pip-licenses`` to return     |
+|                              |                | packages with their licenses        |
++------------------------------+----------------+-------------------------------------+
+| ``dependency:audit``         | No             | Uses ``pip-audit`` to report active |
+|                              |                | vulnerabilities in our dependencies |
++------------------------------+----------------+-------------------------------------+
+| ``vulnerabilities:resolved`` | No             | Uses ``pip-audit`` to report known  |
+|                              |                | vulnerabilities in dependencies     |
+|                              |                | that have been resolved in          |
+|                              |                | comparison to the last release.     |
++------------------------------+----------------+-------------------------------------+
diff --git a/exasol/toolbox/nox/_dependencies.py b/exasol/toolbox/nox/_dependencies.py
@@ -9,17 +9,21 @@
 from exasol.toolbox.util.dependencies.audit import (
     PipAuditException,
     Vulnerabilities,
+    get_vulnerabilities,
+    get_vulnerabilities_from_latest_tag,
 )
 from exasol.toolbox.util.dependencies.licenses import (
     PackageLicenseReport,
     get_licenses,
 )
 from exasol.toolbox.util.dependencies.poetry_dependencies import get_dependencies
+from exasol.toolbox.util.dependencies.track_vulnerabilities import DependenciesAudit
+from noxconfig import PROJECT_CONFIG
 
 
 @nox.session(name="dependency:licenses", python=False)
 def dependency_licenses(session: Session) -> None:
-    """Return the packages with their licenses"""
+    """Report licenses for all dependencies."""
     dependencies = get_dependencies(working_directory=Path())
     licenses = get_licenses()
     license_markdown = PackageLicenseReport(
@@ -30,7 +34,7 @@ def dependency_licenses(session: Session) -> None:
 
 @nox.session(name="dependency:audit", python=False)
 def audit(session: Session) -> None:
-    """Check for known vulnerabilities"""
+    """Report known vulnerabilities."""
 
     try:
         vulnerabilities = Vulnerabilities.load_from_pip_audit(working_directory=Path())
@@ -39,3 +43,14 @@ def audit(session: Session) -> None:
 
     security_issue_dict = vulnerabilities.security_issue_dict
     print(json.dumps(security_issue_dict, indent=2))
+
+
+@nox.session(name="vulnerabilities:resolved", python=False)
+def report_resolved_vulnerabilities(session: Session) -> None:
+    """Report resolved vulnerabilities in dependencies."""
+    path = PROJECT_CONFIG.root_path
+    audit = DependenciesAudit(
+        previous_vulnerabilities=get_vulnerabilities_from_latest_tag(path),
+        current_vulnerabilities=get_vulnerabilities(path),
+    )
+    print(audit.report_resolved_vulnerabilities())
diff --git a/exasol/toolbox/templates/github/workflows/cd.yml b/exasol/toolbox/templates/github/workflows/cd.yml
@@ -15,7 +15,7 @@ jobs:
 
   build-and-publish:
     needs:
-     - check-release-tag
+      - check-release-tag
     name: Build & Publish
     uses: ./.github/workflows/build-and-publish.yml
     permissions:
@@ -25,7 +25,7 @@ jobs:
 
   publish-docs:
     needs:
-     - build-and-publish
+      - build-and-publish
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
     permissions:

diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml
@@ -11,14 +11,21 @@ jobs:
   merge-gate:
     name: Merge Gate
     uses: ./.github/workflows/merge-gate.yml
+    with:
+      root-event:  ${{ github.event_name }}
     secrets: inherit
     permissions:
       contents: read
 
   report:
+    # Job merge-gate requires manual approval for running the slow checks.  If
+    # current workflow ci.yml is triggered by schedule, there is no manual
+    # interaction, manual approval will never be given, slow checks will not
+    # be executed, merge-gate will never terminate, and the report will never
+    # be called.
     name: Report
     needs:
-     - merge-gate
+      - merge-gate
     uses: ./.github/workflows/report.yml
     secrets: inherit
     permissions:

diff --git a/exasol/toolbox/templates/github/workflows/gh-pages.yml b/exasol/toolbox/templates/github/workflows/gh-pages.yml
@@ -38,7 +38,7 @@ jobs:
 
   deploy-documentation:
     needs:
-     - build-documentation
+      - build-documentation
     permissions:
       contents: read
       pages: write

diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml
@@ -2,6 +2,12 @@ name: Merge-Gate
 
 on:
   workflow_call:
+    inputs:
+      root-event:
+        description: GitHub event triggering the root workflow ci.yml
+        required: false
+        type: string
+        default: unknown
 
 jobs:
   run-fast-checks:
@@ -15,12 +21,15 @@ jobs:
     needs:
       - run-fast-checks
     uses: ./.github/workflows/report.yml
+    with:
+      upload-metrics: false
     secrets: inherit
     permissions:
       contents: read
 
   approve-run-slow-tests:
     name: Approve Running Slow Tests?
+    if: ${{ inputs.root-event != 'schedule' }}
     runs-on: "(( os_version ))"
     permissions:
       contents: read
@@ -35,7 +44,7 @@ jobs:
   run-slow-checks:
     name: Slow Checks
     needs:
-     - approve-run-slow-tests
+      - approve-run-slow-tests
     uses: ./.github/workflows/slow-checks.yml
     secrets: inherit
     permissions:
@@ -49,8 +58,8 @@ jobs:
       contents: read
     # If you need additional jobs to be part of the merge gate, add them below
     needs:
-     - run-fast-checks
-     - run-slow-checks
+      - run-fast-checks
+      - run-slow-checks
     # Each job requires a step, so we added this dummy step.
     steps:
       - name: Approve

diff --git a/exasol/toolbox/templates/github/workflows/pr-merge.yml b/exasol/toolbox/templates/github/workflows/pr-merge.yml
@@ -25,8 +25,10 @@ jobs:
 
   report:
     needs:
-     - run-fast-checks
+      - run-fast-checks
     uses: ./.github/workflows/report.yml
+    with:
+      upload-metrics: true
     secrets: inherit
     permissions:
       contents: read
diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml
@@ -2,6 +2,11 @@ name: Status Report
 
 on:
   workflow_call:
+    inputs:
+      upload-metrics:
+          description: Whether to upload file metrics.json as artifact
+          type: boolean
+          default: false
 
 jobs:
 

diff --git a/exasol/toolbox/util/dependencies/audit.py b/exasol/toolbox/util/dependencies/audit.py
@@ -177,7 +177,11 @@ def audit_poetry_files(working_directory: Path) -> str:
         tmpdir = Path(path)
         (tmpdir / requirements_txt).write_text(output.stdout)
 
-        command = ["pip-audit", "-r", requirements_txt, "-f", "json"]
+        # CLI option `--disable-pip` skips dependency resolution in pip.  The
+        # option can be used with hashed requirements files (which is the case
+        # here) to avoid `pip-audit` installing an isolated environment and
+        # speed up the audit significantly.
+        command = ["pip-audit", "--disable-pip", "-r", requirements_txt, "-f", "json"]
         output = subprocess.run(
             command,
             capture_output=True,
@@ -239,6 +243,6 @@ def get_vulnerabilities(working_directory: Path) -> list[Vulnerability]:
     ).vulnerabilities
 
 
-def get_vulnerabilities_from_latest_tag(root_path: Path):
+def get_vulnerabilities_from_latest_tag(root_path: Path) -> list[Vulnerability]:
     with poetry_files_from_latest_tag(root_path=root_path) as tmp_dir:
         return get_vulnerabilities(working_directory=tmp_dir)