add safety dependency checking

requirements/requirements-dev.in

@@ -17,6 +17,7 @@ flake8-fixme
 flake8-isort
 flake8-logging-format
 flake8-mutable
+safety
 
 # maintenance utilities and tox
 pip-tools                   # pip-compile

requirements/requirements-dev.txt

@@ -19,7 +19,9 @@ certifi==2022.12.7
 charset-normalizer==3.0.1
     # via requests
 click==8.1.3
-    # via pip-tools
+    # via
+    #   pip-tools
+    #   safety
 coverage[toml]==7.1.0
     # via pytest-cov
 distlib==0.3.6
@@ -40,6 +42,8 @@ djangorestframework==3.14.0
     # via -r requirements/requirements.in
 dlint==0.14.0
     # via -r requirements/requirements-dev.in
+dparse==0.6.2
+    # via safety
 exceptiongroup==1.1.0
     # via pytest
 filelock==3.9.0
@@ -122,7 +126,9 @@ more-itertools==9.0.0
 packaging==21.3
     # via
     #   build
+    #   dparse
     #   pytest
+    #   safety
     #   tox
 parsedatetime==2.6
     # via -r requirements/requirements.in
@@ -180,8 +186,15 @@ requests==2.28.2
     # via
     #   python-gitlab
     #   requests-toolbelt
+    #   safety
 requests-toolbelt==0.10.1
     # via python-gitlab
+ruamel-yaml==0.17.21
+    # via safety
+ruamel-yaml-clib==0.2.7
+    # via ruamel-yaml
+safety==2.3.5
+    # via -r requirements/requirements-dev.in
 six==1.16.0
     # via
     #   irc
@@ -199,6 +212,8 @@ tempora==5.2.1
     # via
     #   irc
     #   jaraco-logging
+toml==0.10.2
+    # via dparse
 tomli==2.0.1
     # via
     #   build

tox.ini

@@ -107,6 +107,7 @@ commands =
 # run security checks
 #
 # again it seems the most valuable here to run against the packaged code
+# might not need to ignore 51457 after a tox bump
 commands =
     bandit \
          {envsitepackagesdir}/acro/ \
@@ -127,6 +128,7 @@ commands =
          {envsitepackagesdir}/transform/ \
          {envsitepackagesdir}/weather/ \
          -r
+    safety check -r requirements/requirements-dev.txt -i 51457
 
 [testenv:lint]
 # run style checks