[NX-202 Issue] Add pip-audit CI enforcement for Python dependency security
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m41s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 50s
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m41s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 50s
This commit integrates pip-audit to enforce vulnerability checks in CI. Dependencies with unresolved HIGH/CRITICAL vulnerabilities will block builds unless explicitly allowlisted. The process is documented, with a strict policy to ensure exceptions are trackable and time-limited.
This commit is contained in:
14
.github/workflows/docker-release.yml
vendored
14
.github/workflows/docker-release.yml
vendored
@@ -27,6 +27,20 @@ jobs:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: "3.13"
|
||||
|
||||
- name: Dependency security gate (pip-audit)
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install pip-audit
|
||||
pip-audit -r backend/requirements.txt --format json --aliases --output pip-audit-backend.json || true
|
||||
python backend/scripts/pip_audit_gate.py \
|
||||
--report pip-audit-backend.json \
|
||||
--allowlist ops/security/pip-audit-allowlist.json
|
||||
|
||||
- name: Resolve version/tag
|
||||
id: ver
|
||||
shell: bash
|
||||
|
||||
53
.github/workflows/python-dependency-security.yml
vendored
Normal file
53
.github/workflows/python-dependency-security.yml
vendored
Normal file
@@ -0,0 +1,53 @@
|
||||
name: Python Dependency Security
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: ["main", "master", "development"]
|
||||
paths:
|
||||
- "backend/**"
|
||||
- ".github/workflows/python-dependency-security.yml"
|
||||
- "ops/security/pip-audit-allowlist.json"
|
||||
- "docs/security/dependency-exceptions.md"
|
||||
pull_request:
|
||||
paths:
|
||||
- "backend/**"
|
||||
- ".github/workflows/python-dependency-security.yml"
|
||||
- "ops/security/pip-audit-allowlist.json"
|
||||
- "docs/security/dependency-exceptions.md"
|
||||
workflow_dispatch:
|
||||
|
||||
jobs:
|
||||
pip-audit:
|
||||
name: pip-audit (block high/critical)
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 1
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: "3.13"
|
||||
|
||||
- name: Install pip-audit
|
||||
run: |
|
||||
python -m pip install --upgrade pip
|
||||
pip install pip-audit
|
||||
|
||||
- name: Run pip-audit (JSON report)
|
||||
run: |
|
||||
pip-audit -r backend/requirements.txt --format json --aliases --output pip-audit-backend.json || true
|
||||
|
||||
- name: Enforce vulnerability policy
|
||||
run: |
|
||||
python backend/scripts/pip_audit_gate.py \
|
||||
--report pip-audit-backend.json \
|
||||
--allowlist ops/security/pip-audit-allowlist.json
|
||||
|
||||
- name: Upload pip-audit report
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: pip-audit-security-report
|
||||
path: pip-audit-backend.json
|
||||
Reference in New Issue
Block a user