From c2c660e7aaf59f1d0a808765c0d72ff069bc4fb8 Mon Sep 17 00:00:00 2001 From: Thomas Kpenou Date: Wed, 24 Jun 2026 15:16:09 -0400 Subject: [PATCH] ci: add informational dependency security scan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a "Security scan" job that audits dependencies on every push/PR: - pip-audit against requirements.txt (Python) - npm audit for the frontend, reporting production deps separately from dev/build tooling The job is informational only — every step uses continue-on-error, so it never fails CI (matching the project's Codecov philosophy). Findings appear in the job logs to keep known vulnerabilities visible. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/ci.yml | 38 ++++++++++++++++++++++++++++++++++++++ README.md | 7 +++++++ 2 files changed, 45 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 04e9069c..169e7860 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -45,6 +45,44 @@ jobs: flags: python name: python-coverage + security-scan: + name: Security scan + runs-on: ubuntu-latest + # Informational only — like Codecov, this never fails CI. It surfaces known + # dependency vulnerabilities (Python + frontend) in the job logs. + steps: + - uses: actions/checkout@v6 + + - name: Set up Python + uses: actions/setup-python@v6 + with: + python-version: "3.13" + cache: pip + + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version: "22" + cache: npm + cache-dependency-path: web-src/package-lock.json + + - name: Audit Python dependencies (pip-audit) + continue-on-error: true + run: | + pip install pip-audit + pip-audit --requirement requirements.txt --desc + + - name: Audit frontend dependencies (npm audit) + continue-on-error: true + working-directory: web-src + run: | + echo "::group::Production dependencies" + npm audit --omit=dev || true + echo "::endgroup::" + echo "::group::All dependencies (incl. dev/build tooling)" + npm audit || true + echo "::endgroup::" + frontend-tests: name: Frontend (Node 22) runs-on: ubuntu-latest diff --git a/README.md b/README.md index e79e2f09..48790d16 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,13 @@ ## What's new in this fork +### 2026-06-24 — Dependency security scan in CI + +A `Security scan` job audits dependencies on every push/PR: `pip-audit` for the +Python requirements and `npm audit` for the frontend (production deps reported +separately from dev/build tooling). It is **informational** — like Codecov, it +never fails CI; findings are surfaced in the job logs. + ### 2026-06-19 — Favorite scripts Scripts can be pinned as favorites for quick access. A star button on each script