Skip to content

Add dependency vulnerability scanning to CI#75

Closed
garland3 wants to merge 1 commit into
mainfrom
feature/dependency-vulnerability-scanning
Closed

Add dependency vulnerability scanning to CI#75
garland3 wants to merge 1 commit into
mainfrom
feature/dependency-vulnerability-scanning

Conversation

@garland3

@garland3 garland3 commented Mar 11, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Adds a new GitHub Actions workflow (dependency-scan.yml) that audits both Python and Node dependencies for known vulnerabilities
  • Python job uses pip-audit --strict --desc against the uv-managed dependency set
  • Node job uses npm audit --audit-level=high against frontend dependencies
  • Runs on push to main, PRs to main, and on a weekly Monday cron schedule to catch newly disclosed CVEs

Test plan

  • Verify the workflow appears in the Actions tab after merge
  • Confirm the Python audit job installs dependencies via uv and runs pip-audit successfully
  • Confirm the Node audit job runs npm audit against frontend dependencies
  • Trigger a manual workflow run or open a test PR to validate both jobs execute and report results
  • Verify the weekly cron schedule is registered correctly

@garland3
Add dependency vulnerability scanning CI workflow
5812a36 
Introduce a dedicated workflow that audits Python (pip-audit) and Node
(npm audit) dependencies for known vulnerabilities. Runs on pushes and
PRs to main, plus a weekly Monday schedule to catch newly disclosed CVEs.
Copilot AI review requested due to automatic review settings March 11, 2026 05:10
Copilot AI reviewed Mar 11, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a dedicated GitHub Actions workflow to run dependency vulnerability audits for both the Python (uv-managed) and frontend Node.js dependency sets, intended to run on main/PRs and on a weekly schedule.

Changes:

  • Introduces .github/workflows/dependency-scan.yml with separate Python and Node audit jobs.
  • Python job runs pip-audit after installing dependencies via uv.
  • Node job runs npm audit after npm ci in frontend/.

Comment thread .github/workflows/dependency-scan.yml
Comment on lines +8 to +10
schedule:
# Run weekly on Monday at 06:00 UTC
- cron: "0 6 * * 1"

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This repository already has a scheduled dependency/security scanning workflow in .github/workflows/container-scan-trivy.yml (includes a dependency-scan job and a Monday cron). Adding a separate dependency-scan.yml will duplicate scheduled runs and can create conflicting/noisy CI signals. Consider folding pip-audit/npm-audit into the existing security workflow (or removing the older job) so there is a single source of truth for dependency scanning.

Suggested change
schedule:
# Run weekly on Monday at 06:00 UTC
- cron: "0 6 * * 1"

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/dependency-scan.yml
Comment on lines +34 to +38
- name: Install pip-audit
run: uv pip install pip-audit

- name: Run pip-audit
run: uv run pip-audit --strict --desc

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uv sync --frozen suggests the environment should exactly match the lockfile, but the subsequent uv pip install pip-audit mutates the environment outside the lock. Prefer running pip-audit as an isolated tool (e.g., via uv tool run ...) or pin/lock pip-audit as a dependency group so the audit environment stays reproducible.

Suggested change
- name: Install pip-audit
run: uv pip install pip-audit
- name: Run pip-audit
run: uv run pip-audit --strict --desc
- name: Run pip-audit
run: uv tool run pip-audit --strict --desc

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/dependency-scan.yml
- name: Set up Node.js
uses: actions/setup-node@v5
with:
node-version: "22"

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Node is set to 22 here, but other CI workflows in this repo use Node 18 (e.g. .github/workflows/docker-image.yml and codeql-analysis.yml). Using a newer major Node version just for npm ci/npm audit can cause inconsistent results or install failures if the lockfile/tooling was generated against Node 18. Consider aligning this to the same Node version used elsewhere (or centralizing the version via a single file/env var).

Suggested change
node-version: "22"
node-version: "18"

Copilot uses AI. Check for mistakes.
@garland3

garland3 commented Mar 15, 2026

Copy link
Copy Markdown
Collaborator Author

Closing in favor of including this workflow in PR #79, which consolidates all pending changes.

@garland3 garland3 closed this Mar 15, 2026
garland3 added a commit that referenced this pull request Mar 15, 2026
@garland3
Fix failing frontend tests and add dependency vulnerability scanning
c04f2cd 
Rewrite ImageView.measurements.test.js to use URL-based fetch mocking
instead of sequential mockResolvedValueOnce chains, and remove act()
wrappers that caused hanging due to unresolved async effects. All 9
measurement tests now pass reliably.

Add dependency-scan.yml workflow (from PR #75) for Python pip-audit and
Node npm audit, running on push/PR to main and weekly cron schedule.
garland3 added a commit that referenced this pull request Mar 21, 2026
@garland3
Fix failing frontend tests and add dependency vulnerability scanning
487a762 
Rewrite ImageView.measurements.test.js to use URL-based fetch mocking
instead of sequential mockResolvedValueOnce chains, and remove act()
wrappers that caused hanging due to unresolved async effects. All 9
measurement tests now pass reliably.

Add dependency-scan.yml workflow (from PR #75) for Python pip-audit and
Node npm audit, running on push/PR to main and weekly cron schedule.
travisdock pushed a commit that referenced this pull request Jun 3, 2026
@garland3 @travisdock
Fix failing frontend tests and add dependency vulnerability scanning
c785158 
Rewrite ImageView.measurements.test.js to use URL-based fetch mocking
instead of sequential mockResolvedValueOnce chains, and remove act()
wrappers that caused hanging due to unresolved async effects. All 9
measurement tests now pass reliably.

Add dependency-scan.yml workflow (from PR #75) for Python pip-audit and
Node npm audit, running on push/PR to main and weekly cron schedule.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@garland3