This guide describes how the dependency vulnerability audit system functions, the format of policy exception definitions, and how to run auditing/verification checks locally.
Vulnerability exceptions are maintained in the root directory under .audit-config.yaml.
To document a new exception (to temporarily allow a dependency vulnerability that blocks deployment in CI), add an entry under the exceptions block using the following format:
exceptions:
CVE-2026-99999:
package: vulnerable-library
severity: high
reason: |
The vulnerability requires usage of a specific API endpoint that is disabled in our environment.
We are tracking the patch and plan to upgrade by the target date.
expires_at: 2026-09-30
approved_by: security-team
approval_date: 2026-06-01
ticket: https://github.com/Rakshak05/SecuScan/issues/211| Field Name | Type | Required | Description |
|---|---|---|---|
Vulnerability Key (e.g. CVE-2026-99999) |
String | Yes | The primary vulnerability identifier (CVE ID, GHSA ID, or package name) used for exception matching. |
package |
String | Yes | Name of the package containing the vulnerability. |
severity |
String | No | The severity level (critical, high, medium, low) of the vulnerability. |
reason |
String | Yes | Clear business and technical justification for why this vulnerability does not pose an immediate threat or why the risk is accepted. |
expires_at |
String (ISO-8601) | Yes | The expiry date of the exception (YYYY-MM-DD). In CI, expired exceptions will automatically fail the build unless enforce_expiry is set to false. |
approved_by |
String | Yes | The individual or team that reviewed and approved the exception. |
approval_date |
String (ISO-8601) | No | Date when the exception was approved. |
ticket |
String | No | URL to a tracking ticket, issue, or pull request. |
You can run the audit tools locally to verify dependency status and validate configuration files.
-
Install requirements and developer dependencies:
pip install -r backend/requirements.txt -r backend/requirements-dev.txt
-
Run
pip-auditto generate the raw report:pip-audit -r backend/requirements.txt --desc --format json > backend/pip-audit-report.json(Note: Add
--include-devif you wish to run audits against development dependencies). -
Verify results against configuration:
python scripts/check_pip_audit.py \ --report backend/pip-audit-report.json \ --config .audit-config.yaml
-
Install requirements:
cd frontend npm ci -
Run
npm auditto generate the JSON report:npm audit --json > npm-audit-report.json -
Verify results against configuration:
python ../scripts/check_npm_audit.py \ --report npm-audit-report.json \ --config ../.audit-config.yaml
To generate a CycloneDX 1.4 compatible SBOM containing all frontend and backend dependencies, run:
python scripts/generate_sbom.py --output sbom.json --include-devWhen an audit surfaces a finding, use the following table to classify it into one of three categories and determine the appropriate operator response. Classification is driven by severity, exploitability, and whether the affected package ships to production.
| Category | Criteria | Operator Action | Example |
|---|---|---|---|
| Informational | low severity findings with no exploit path, or findings confined to dev-only dependencies. |
Note and monitor; no immediate action required. | A low CVE in a build-time dev dependency that is not shipped to production. |
| Urgent | high or critical findings with a known fix available, or a plausible exploit path in production dependencies. |
Schedule a patch within the current sprint and file a tracking ticket. | A high CVE in a runtime HTTP library with a patched version released. |
| Blocking | critical findings with active exploitation, no available fix, or affecting authentication/secrets handling. |
Stop deployment; apply mitigation or a temporary exception with security-team approval immediately. | A critical RCE in a core runtime dependency with no patch. |
Blocking findings that require a temporary allowance to unblock deployment must be documented using the exception format described in Section 1.