[NX-202 Issue] Add pip-audit CI enforcement for Python dependency security
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m41s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 50s
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m41s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 50s
This commit integrates pip-audit to enforce vulnerability checks in CI. Dependencies with unresolved HIGH/CRITICAL vulnerabilities will block builds unless explicitly allowlisted. The process is documented, with a strict policy to ensure exceptions are trackable and time-limited.
This commit is contained in:
13
README.md
13
README.md
@@ -21,6 +21,7 @@ It combines FastAPI, React, and PostgreSQL in a Docker Compose stack with RBAC,
|
||||
- [`pg_stat_statements` Requirement](#pg_stat_statements-requirement)
|
||||
- [Reverse Proxy / SSL Guidance](#reverse-proxy--ssl-guidance)
|
||||
- [PostgreSQL Compatibility Smoke Test](#postgresql-compatibility-smoke-test)
|
||||
- [Dependency Exception Flow](#dependency-exception-flow)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Security Notes](#security-notes)
|
||||
|
||||
@@ -206,7 +207,7 @@ Note: Migrations run automatically when the backend container starts (`entrypoin
|
||||
|
||||
| Variable | Description |
|
||||
|---|---|
|
||||
| `FRONTEND_PORT` | Host port mapped to frontend container port `80` |
|
||||
| `FRONTEND_PORT` | Host port mapped to frontend container port `8080` |
|
||||
|
||||
## Core Functional Areas
|
||||
|
||||
@@ -387,6 +388,16 @@ PG_DSN_CANDIDATES='postgresql://postgres:postgres@postgres:5432/compatdb?sslmode
|
||||
python backend/scripts/pg_compat_smoke.py
|
||||
```
|
||||
|
||||
## Dependency Exception Flow
|
||||
|
||||
Python dependency vulnerabilities are enforced by CI via `pip-audit`.
|
||||
|
||||
- CI blocks unresolved `HIGH` and `CRITICAL` findings.
|
||||
- Missing severity metadata is treated conservatively as `HIGH`.
|
||||
- Temporary exceptions must be declared in `ops/security/pip-audit-allowlist.json`.
|
||||
- Full process and required metadata are documented in:
|
||||
- `docs/security/dependency-exceptions.md`
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Backend container keeps restarting during `make migrate`
|
||||
|
||||
Reference in New Issue
Block a user