Skip to content

ci: Add dependency vulnerability scanning to CI (pip-audit) #47

Description

@YaronZaki

Problem Statement

No dependency vulnerability scanning exists in CI. Python dependencies (stellar-sdk, fastapi, sqlalchemy, aiohttp) may contain known CVEs. No Dependabot/Renovate config for automated updates.

Evidence

  • No pip-audit or safety step in .github/workflows/ci.yml
  • No .github/dependabot.yml configuration
  • .pre-commit-config.yaml: Only pylint — no dependency scanning

Impact

Medium — supply chain risk. Known-vulnerable dependencies deployed to production without detection. For a DeFi protocol, a vulnerable dependency (e.g., in crypto library) could be catastrophic.

Proposed Solution

Add pip-audit step to CI that fails on high-severity CVEs, warns on medium/low. Add Dependabot for weekly Python/Docker scans.

Acceptance Criteria

  • pip-audit runs in CI on every PR after poetry install
  • High-severity CVEs fail the build
  • Low/medium CVEs produce warnings
  • Dependabot configured for weekly Python dependency scans
  • CI workflow updated in ci.yml

File Map

  • .github/workflows/ci.yml — add pip-audit step
  • .github/dependabot.ymlNew: Dependabot configuration

Testing Strategy

  • CI: Push PR, verify pip-audit runs; add vulnerable package version, verify build fails

Security Considerations

Automated CVE detection in CI is critical for supply chain security in a DeFi protocol.

Definition of Done

  • Code implemented and peer-reviewed
  • Pipeline runs successfully
  • Dependabot opening PRs
  • PR linked and merged

Labels: security, ci-cd
Priority: Low
Difficulty: Beginner
Estimated Effort: 1h

Metadata

Metadata

Assignees

Labels

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions