[NX-202] Enforce Python dependency security gate (pip audit) #12

New Issue

nessi · 2026-02-13T13:17:10Z

nessi commented

2026-02-13 13:17:10 +00:00

Goal

Prevent shipping known vulnerable Python dependencies.

Scope

Add dependency scan (pip audit) in CI.
Fail on high/critical unresolved issues.

Acceptance Criteria

CI blocks vulnerable dependency updates.
Security exception flow is documented.

## Goal Prevent shipping known vulnerable Python dependencies. ## Scope - Add dependency scan (`pip audit`) in CI. - Fail on high/critical unresolved issues. ## Acceptance Criteria - CI blocks vulnerable dependency updates. - Security exception flow is documented.

nessi added this to the v1.0 - Stability, Reliability & Security (P0) milestone 2026-02-13 13:17:10 +00:00

nessi added the P0 label 2026-02-13 13:17:10 +00:00

nessi commented

2026-02-15 10:27:53 +00:00

NX-202 Completed

Implemented Python dependency vulnerability enforcement in CI with a documented, auditable exception flow.

Delivered Scope

Added dedicated CI workflow for dependency scanning:
- .github/workflows/python-dependency-security.yml
- Runs pip-audit on backend dependencies.
Added policy gate script:
- backend/scripts/pip_audit_gate.py
- Blocks unresolved HIGH / CRITICAL findings.
- Treats missing severity metadata conservatively as HIGH.
Added explicit allowlist mechanism:
- ops/security/pip-audit-allowlist.json
- Supports temporary exceptions with required metadata and expiry.
Added documentation for exception handling:
- docs/security/dependency-exceptions.md
Added release-time dependency gate:
- docker-release.yml now runs pip-audit + policy gate before image build/push.

Acceptance Criteria Mapping

CI blocks vulnerable dependency updates
Met: unresolved high/critical findings fail the dependency security workflow and release pipeline.
Security exception flow is documented
Met: exception process, required fields, expiry rules, and auditability are documented in docs/security/dependency-exceptions.md.

Notes

No database migration required.
This closes NX-202 from implementation perspective.

## NX-202 Completed Implemented Python dependency vulnerability enforcement in CI with a documented, auditable exception flow. ### Delivered Scope - Added dedicated CI workflow for dependency scanning: - `.github/workflows/python-dependency-security.yml` - Runs `pip-audit` on backend dependencies. - Added policy gate script: - `backend/scripts/pip_audit_gate.py` - Blocks unresolved `HIGH` / `CRITICAL` findings. - Treats missing severity metadata conservatively as `HIGH`. - Added explicit allowlist mechanism: - `ops/security/pip-audit-allowlist.json` - Supports temporary exceptions with required metadata and expiry. - Added documentation for exception handling: - `docs/security/dependency-exceptions.md` - Added release-time dependency gate: - `docker-release.yml` now runs `pip-audit` + policy gate before image build/push. ### Acceptance Criteria Mapping - **CI blocks vulnerable dependency updates** Met: unresolved high/critical findings fail the dependency security workflow and release pipeline. - **Security exception flow is documented** Met: exception process, required fields, expiry rules, and auditability are documented in `docs/security/dependency-exceptions.md`. ### Notes - No database migration required. - This closes NX-202 from implementation perspective.

nessi closed this issue

2026-02-15 10:27:55 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nessi/NexaPG#12