GitHub Security Overhaul: OSV-Scanner Replaces Dependabot, Clears 70+ Transitive Vulnerabilities

A major security infrastructure shift is underway in a GitHub repository, replacing placeholder workflows with a hardened, automated vulnerability scanning pipeline. The core change replaces the existing security-dependency-review workflow with a Docker-based OSV-Scanner audit, powered by the `py-lintro` image. This move resolves all open Dependabot alerts and over 70 transitive dependency vulnerabilities in a single sweep, signaling a decisive upgrade from reactive patching to proactive, systematic auditing.

The implementation centers on a new `security-audit.sh` script that executes `lintro check --tools osv_scanner`. The output is processed by a custom Python script (`format-security-comment.py`) to generate detailed markdown comments for pull requests, embedding security findings directly into the development workflow. Beyond scanning, the update introduces a new weekly workflow (`vuln-suppression-check.yml`) designed to automatically identify and clean up stale vulnerability suppressions, preventing security exceptions from persisting unnoticed.

This consolidation aligns the repository's security posture with the broader `py-lintro` project ahead of a planned `lgtmi-ci` consolidation. The addition of suppression classification logic (`classify-suppressions.py`) and a dedicated suppression probe script (`check-vuln-suppressions.sh`) creates a closed-loop system for vulnerability management. The shift represents a move towards enforceable security gates and automated hygiene, reducing manual toil and closing gaps that passive alerting systems can miss.