Skip to content

ci: informational dependency security scan#26

Merged
knep merged 1 commit into
masterfrom
ci/security-scan
Jun 24, 2026
Merged

ci: informational dependency security scan#26
knep merged 1 commit into
masterfrom
ci/security-scan

Conversation

@knep

@knep knep commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Summary

Adds a Security scan job to CI that audits dependencies on every push/PR, surfacing known vulnerabilities for a tool that runs arbitrary scripts with auth.

  • pip-audit against requirements.txt (Python deps).
  • npm audit for the frontend — production deps reported separately from dev/build tooling.

Failure policy

Informational only. Every step uses continue-on-error, so the job never fails CI — matching the project's Codecov philosophy (codecov.yml is informational). Findings appear in the job logs/annotations to keep known vulnerabilities visible without blocking PRs.

Current findings (at time of writing)

  • Python: no known vulnerabilities.
  • Frontend prod: dompurify moderate (a Dependabot bump to 3.4.11 is already merged — should clear on the run).
  • Frontend dev/build: undici high (transitive via test tooling, not shipped to production).

Notes for reviewer

  • Job runs in parallel with the existing test jobs (no needs), so it doesn't slow the critical path.
  • Verified pip-audit --requirement requirements.txt resolves the ~= version ranges locally ("No known vulnerabilities found").

🤖 Generated with Claude Code

Add a "Security scan" job that audits dependencies on every push/PR:
- pip-audit against requirements.txt (Python)
- npm audit for the frontend, reporting production deps separately from
  dev/build tooling

The job is informational only — every step uses continue-on-error, so it never
fails CI (matching the project's Codecov philosophy). Findings appear in the
job logs to keep known vulnerabilities visible.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@knep knep merged commit 5cc970c into master Jun 24, 2026
15 of 16 checks passed
@knep knep deleted the ci/security-scan branch June 24, 2026 19:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants