bundler-audit | Patch-level verification for Bundler | Security library

SQLite does not work with Heroku as its disk based and Heroku uses an ephemeral file system.

SQLite runs in memory, and backs up its data store in files on disk. While this strategy works well for development, Heroku’s Cedar stack has an ephemeral filesystem. You can write to it, and you can read from it, but the contents will be cleared periodically. If you were to use SQLite on Heroku, you would lose your entire database at least once every 24 hours.

Even if Heroku’s disks were persistent running SQLite would still not be a good fit. Since SQLite does not run as a service, each dyno would run a separate running copy. Each of these copies need their own disk backed store. This would mean that each dyno powering your app would have a different set of data since the disks are not synchronized.

-Heroku Devcenter: SQLite on Heroku

Heroku provides Postgres as the free default database for rails which is as close to a recommendation as you can get.

If you are deploying to Postgres you should also be developing/testing on Postgres.

Differences between backing services mean that tiny incompatibilities crop up, causing code that worked and passed tests in development or staging to fail in production. These types of errors create friction that disincentivizes continuous deployment. The cost of this friction and the subsequent dampening of continuous deployment is extremely high when considered in aggregate over the lifetime of an application.
- https://12factor.net/dev-prod-parity

If you really want to stick with SQLite you need to configure the adapters properly:

Delete your Gemfile.lock and run bundle install again

After writing out this question, I searched around some more and found Safety, which was exactly what I was looking for.

In case anyone else is setting up CircleCI for a Django project and wants to check their packages for vulnerabilities, here is the configuration I used in my .circleci/config.yml: