feat(py): add pysentry-rs security scanning to hooks and CI

[yesudeep]

Integrates pysentry-rs for automated security auditing of Python
dependencies. This setup ensures that known vulnerabilities are
detected during local development (via git hooks) and in CI.

• Add pysentry-rs to the lint dependency group in pyproject.toml
• Create py/bin/run_python_security_checks wrapper script
• Add py/.pysentry.toml with configuration and audit rules
• Integrate security checks into captainhook.json (pre-commit/pre-push)
• Insert security scan step into .github/workflows/python.yml
• Suppress known nbconvert and protobuf vulnerabilities awaiting fix

ISSUE: none

CHANGELOG:

• Add pysentry-rs for automated Python dependency security auditing
• Integrate Python security scanning into pre-commit/pre-push hooks and CI

[gemini-code-assist]

Summary of Changes

Hello @yesudeep, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's security posture by introducing pysentry-rs for automated Python dependency vulnerability scanning. The integration ensures that security checks are performed both during local development through git hooks and as part of the continuous integration process, providing early detection of known vulnerabilities and improving overall code quality and reliability.

Highlights

• Automated Security Auditing: Integrated pysentry-rs for automated security auditing of Python dependencies, enhancing the project's security posture.
• Local Development Integration: Security checks are now performed during local development via pre-commit and pre-push git hooks, ensuring early vulnerability detection.
• CI Pipeline Integration: The main linting script, which is likely part of the CI pipeline, has been updated to include the new security checks.
• Pysentry-rs Configuration: A new configuration file (py/.pysentry.toml) has been added to define pysentry-rs settings, including severity thresholds and specific known vulnerabilities to ignore (e.g., for nbconvert and protobuf).
• Dependency Management Updates: Pysentry-rs has been added to the 'lint' dependency group in pyproject.toml, and the uv.lock file has been updated to reflect this new dependency.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/python.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a great addition, integrating pysentry-rs for automated security scanning of Python dependencies into local development hooks and the CI pipeline. The implementation is solid, with a new configuration file for pysentry-rs and integration into the existing linting and testing workflow. I have a couple of suggestions for the new wrapper script to improve its robustness and consistency with other scripts in the repository.