Skip to content

Add dependency vulnerability scan CI gates#57

Merged
negillett merged 7 commits into
mainfrom
add-deps-scan-gates
May 22, 2026
Merged

Add dependency vulnerability scan CI gates#57
negillett merged 7 commits into
mainfrom
add-deps-scan-gates

Conversation

@negillett
Copy link
Copy Markdown
Member

@negillett negillett commented May 22, 2026

Summary

  • Add deps-scan workflow with pip-audit, OSV-Scanner, and allowlist expiry.
  • Add Dependabot weekly groups for pip and GitHub Actions.

Test plan

  • bash ./scripts/check-deps-allowlist.sh
  • pip-audit --desc on

Review

No blocking findings.

Add dependency vulnerability scan CI gates
33c1a40 
Signed-off-by: Nathan Gillett <nathan@intentproof.io>
@cursor
Copy link
Copy Markdown

cursor Bot commented May 22, 2026
edited
Loading

PR Summary

Medium Risk
Introduces new CI jobs that can block merges on dependency scan findings or allowlist expiry, so misconfiguration or output-parsing edge cases could cause unexpected build failures.

Overview
Adds a new deps-scan GitHub Actions workflow that enforces dependency security checks on PRs, main, and a weekly schedule: it validates a time-bounded dependency vulnerability allowlist, runs pip-audit, and runs an OSV-Scanner gate that fails only on High/Critical findings.

Introduces Dependabot weekly update configuration (grouped patch vs minor/major for pip, plus grouped GitHub Actions updates), adds initial .github/deps-allowlist.yml and .osv-scanner.toml, and refactors allowlist expiry validation by extracting a reusable scripts/check-allowlist-expiry.sh used by both CodeQL and dependency allowlists.

Reviewed by Cursor Bugbot for commit d47b605. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed May 22, 2026
View reviewed changes
Comment thread .github/workflows/deps-scan.yml Outdated
Comment thread scripts/check-deps-allowlist.sh Outdated
Nathan Gillett added 3 commits May 21, 2026 22:53
Fix deps-scan CI: OSV gate script
7f9f3bc 
Signed-off-by: Nathan Gillett <nathan@intentproof.io>
fix deps scan CI: OSV binary download URL
8c02149 
Download the raw osv-scanner release binary instead of a missing
tarball and allow repos without lockfiles to pass the OSV gate.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
fix deps scan: materialize Python lockfile for OSV
3b5b58e 
Freeze installed requirements for OSV-Scanner and harden the gate
script for repos without committed lockfiles.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
cursor[bot]
cursor Bot reviewed May 22, 2026
View reviewed changes
Comment thread scripts/run-osv-scanner-gate.sh Outdated
address Bugbot: fix OSV args and dedupe allowlist checks
021bb03 
Parse optional lockfiles without a brittle shift, share allowlist
expiry validation in one script, and fix codeql allowlist empty-entry
handling.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
cursor[bot]
cursor Bot reviewed May 22, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 021bb03. Configure here.

Comment thread scripts/run-osv-scanner-gate.sh
rm -f "$tmp"
fi

args=(scan source --format=table --no-call-analysis=all --allow-no-lockfiles)
Copy link
Copy Markdown

@cursor cursor Bot May 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unrecognized osv-scanner flag may silently pass gate

High Severity

The --allow-no-lockfiles flag does not appear in any osv-scanner v2 documentation, CLI reference, changelog, or source code. The documented approach for handling missing lockfiles in v2 is --include-git-root. If the flag is unrecognized, osv-scanner exits with code 1 (cobra default for unknown flags). The status -gt 1 check on line 55 does not catch exit code 1, so execution falls through to the Python parser, which finds no severity summary or vulnerability IDs in the error text and prints "PASS" — a false pass where the scanner never actually ran.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 021bb03. Configure here.

Nathan Gillett added 2 commits May 21, 2026 23:39
fix OSV gate: avoid argv size limit on large output
2ac16be 
Write osv-scanner output to a temp file and pass the path to the
severity parser instead of embedding the full table in sys.argv.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
fix allowlist checker: require explicit file path
d47b605 
Drop the misleading codeql-allowlist default so invoking the shared
script without arguments fails fast instead of silently skipping.

Signed-off-by: Nathan Gillett <nathan@intentproof.io>
@negillett negillett merged commit 965255f into main May 22, 2026
10 checks passed
@negillett negillett deleted the add-deps-scan-gates branch May 22, 2026 05:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@negillett