nessi/NexaPG
1
0
Fork 0
Code Issues 16 Pull Requests Actions Packages Projects Releases 14 Activity
Files
84bc7b0384ee90e5ddb5ca8db2dc89f0bf050b72
NexaPG/docs/security/dependency-exceptions.md
nessi 3932aa56f7
All checks were successful
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Successful in 2m41s
Details
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
Details
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
Details
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
Details
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Details
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 50s
Details
[NX-202 Issue] Add pip-audit CI enforcement for Python dependency security 
This commit integrates pip-audit to enforce vulnerability checks in CI. Dependencies with unresolved HIGH/CRITICAL vulnerabilities will block builds unless explicitly allowlisted. The process is documented, with a strict policy to ensure exceptions are trackable and time-limited.
2026-02-15 10:44:33 +01:00

1.4 KiB
Raw Blame History

Dependency Security Exception Flow (pip-audit)

This document defines the auditable exception process for Python dependency vulnerabilities.

Policy

  • CI blocks unresolved HIGH and CRITICAL dependency vulnerabilities.
  • If a vulnerability does not provide severity metadata, it is treated as HIGH by policy.
  • Temporary exceptions are allowed only through ops/security/pip-audit-allowlist.json.

Allowlist Location

  • File: ops/security/pip-audit-allowlist.json
  • Format:
{
  "entries": [
    {
      "id": "CVE-2026-12345",
      "package": "example-package",
      "reason": "Upstream fix not released yet",
      "approved_by": "security-owner",
      "issue": "NX-202",
      "expires_on": "2026-12-31"
    }
  ]
}

Required Fields

  • id: Vulnerability ID (CVE-*, GHSA-*, or advisory ID)
  • reason: Why exception is necessary
  • approved_by: Approver identity
  • issue: Tracking issue/ticket
  • expires_on: Expiry date in YYYY-MM-DD

Optional:

  • package: Restrict exception to one dependency package

Rules

  • Expired allowlist entries fail CI.
  • Missing required fields fail CI.
  • Exceptions must be time-limited and linked to a tracking issue.
  • Removing an exception is required once an upstream fix is available.

Auditability

  • Every exception change is tracked in Git history and code review.
  • CI logs include blocked vulnerabilities and allowlisted findings counts.
Reference in New Issue View Git Blame Copy Permalink