nessi/NexaPG
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases 14 Activity
Files
3932aa56f7fc03c43119f7ef463467baa6d72aa7
NexaPG/docs/security/dependency-exceptions.md
nessi 3932aa56f7
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m41s
Details
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
Details
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
Details
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Details
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 50s
Details
[NX-202 Issue] Add pip-audit CI enforcement for Python dependency security 
This commit integrates pip-audit to enforce vulnerability checks in CI. Dependencies with unresolved HIGH/CRITICAL vulnerabilities will block builds unless explicitly allowlisted. The process is documented, with a strict policy to ensure exceptions are trackable and time-limited.
2026-02-15 10:44:33 +01:00

54 lines
1.4 KiB
Markdown
Raw Blame History

# Dependency Security Exception Flow (pip-audit)
This document defines the auditable exception process for Python dependency vulnerabilities.
## Policy
- CI blocks unresolved `HIGH` and `CRITICAL` dependency vulnerabilities.
- If a vulnerability does not provide severity metadata, it is treated as `HIGH` by policy.
- Temporary exceptions are allowed only through `ops/security/pip-audit-allowlist.json`.
## Allowlist Location
- File: `ops/security/pip-audit-allowlist.json`
- Format:
```json
{
"entries": [
{
"id": "CVE-2026-12345",
"package": "example-package",
"reason": "Upstream fix not released yet",
"approved_by": "security-owner",
"issue": "NX-202",
"expires_on": "2026-12-31"
}
]
}
```
## Required Fields
- `id`: Vulnerability ID (`CVE-*`, `GHSA-*`, or advisory ID)
- `reason`: Why exception is necessary
- `approved_by`: Approver identity
- `issue`: Tracking issue/ticket
- `expires_on`: Expiry date in `YYYY-MM-DD`
Optional:
- `package`: Restrict exception to one dependency package
## Rules
- Expired allowlist entries fail CI.
- Missing required fields fail CI.
- Exceptions must be time-limited and linked to a tracking issue.
- Removing an exception is required once an upstream fix is available.
## Auditability
- Every exception change is tracked in Git history and code review.
- CI logs include blocked vulnerabilities and allowlisted findings counts.
Reference in New Issue View Git Blame Copy Permalink