diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04e9069c..169e7860 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,6 +45,44 @@ jobs: flags: python name: python-coverage + security-scan: + name: Security scan + runs-on: ubuntu-latest + # Informational only — like Codecov, this never fails CI. It surfaces known + # dependency vulnerabilities (Python + frontend) in the job logs. + steps: + - uses: actions/checkout@v6 + + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version: "3.13" + cache: pip + + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version: "22" + cache: npm + cache-dependency-path: web-src/package-lock.json + + - name: Audit Python dependencies (pip-audit) + continue-on-error: true + run: | + pip install pip-audit + pip-audit --requirement requirements.txt --desc + + - name: Audit frontend dependencies (npm audit) + continue-on-error: true + working-directory: web-src + run: | + echo "::group::Production dependencies" + npm audit --omit=dev || true + echo "::endgroup::" + echo "::group::All dependencies (incl. dev/build tooling)" + npm audit || true + echo "::endgroup::" + frontend-tests: name: Frontend (Node 22) runs-on: ubuntu-latest diff --git a/README.md b/README.md index e79e2f09..48790d16 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,13 @@ ## What's new in this fork +### 2026-06-24 — Dependency security scan in CI + +A `Security scan` job audits dependencies on every push/PR: `pip-audit` for the +Python requirements and `npm audit` for the frontend (production deps reported +separately from dev/build tooling). It is **informational** — like Codecov, it +never fails CI; findings are surfaced in the job logs. + ### 2026-06-19 — Favorite scripts Scripts can be pinned as favorites for quick access. A star button on each script