GitHub CodeQL semantically analyzes Python code for security issues. Also, CVE Lists are checked vs. your GitHub repo’s dependency graph. CodeQL can install the Python package for more fidelity.

This approach finally fixes the concerns we had with the previous implementation that simply did CVE scans versus dependency graphs. The prior method of extracting dependencies did not work for modern Python packages. The new CodeQL method is much more robust and useful.