feat(security): add Snyk CI workflow and pinned Python requirements
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
Aegis CI / lint-and-test (push) Has been cancelled
Snyk Security Scan / Python vulnerabilities (backend) (push) Has been cancelled
Snyk Security Scan / npm vulnerabilities (frontend) (push) Has been cancelled
Snyk Security Scan / Docker image vulnerabilities (backend) (push) Has been cancelled
- .github/workflows/snyk.yml: scans backend (Python), frontend (npm) and backend Docker image on every push/PR and weekly schedule. Uses continue-on-error during initial cleanup phase. Requires SNYK_TOKEN secret in GitHub repo settings. - backend/requirements-lock.txt: exact pip freeze from production container for accurate Snyk CVE scanning (no version ambiguity). To enable: add SNYK_TOKEN to GitHub repo secrets (get token from app.snyk.io -> Account Settings -> API Token).
This commit is contained in:
kitos
@@ -0,0 +1,71 @@
|
|||||||
|
name: Snyk Security Scan
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches: [main, develop]
|
||||||
|
pull_request:
|
||||||
|
branches: [main]
|
||||||
|
schedule:
|
||||||
|
- cron: '0 6 * * 1' # Weekly on Monday 06:00 UTC
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
snyk-backend:
|
||||||
|
name: Python vulnerabilities (backend)
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- uses: actions/setup-python@v5
|
||||||
|
with:
|
||||||
|
python-version: "3.11"
|
||||||
|
|
||||||
|
- name: Install backend dependencies
|
||||||
|
run: pip install -r backend/requirements-lock.txt
|
||||||
|
|
||||||
|
- name: Snyk — scan Python packages
|
||||||
|
uses: snyk/actions/python@master
|
||||||
|
env:
|
||||||
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||||
|
with:
|
||||||
|
args: --file=backend/requirements-lock.txt --severity-threshold=high
|
||||||
|
continue-on-error: true # report without blocking CI during initial cleanup
|
||||||
|
|
||||||
|
snyk-frontend:
|
||||||
|
name: npm vulnerabilities (frontend)
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: '20'
|
||||||
|
|
||||||
|
- name: Install frontend dependencies
|
||||||
|
run: npm ci
|
||||||
|
working-directory: frontend
|
||||||
|
|
||||||
|
- name: Snyk — scan npm packages
|
||||||
|
uses: snyk/actions/node@master
|
||||||
|
env:
|
||||||
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||||
|
with:
|
||||||
|
args: --file=frontend/package.json --severity-threshold=high
|
||||||
|
continue-on-error: true
|
||||||
|
|
||||||
|
snyk-docker-backend:
|
||||||
|
name: Docker image vulnerabilities (backend)
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Build backend image for scanning
|
||||||
|
run: docker build -t aegis-backend:scan backend/
|
||||||
|
|
||||||
|
- name: Snyk — scan Docker image
|
||||||
|
uses: snyk/actions/docker@master
|
||||||
|
env:
|
||||||
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||||
|
with:
|
||||||
|
image: aegis-backend:scan
|
||||||
|
args: --severity-threshold=high
|
||||||
|
continue-on-error: true
|
||||||
@@ -0,0 +1,83 @@
|
|||||||
|
# Auto-generated from pip freeze on 2026-06-12
|
||||||
|
# Exact versions installed in production — used by Snyk for accurate CVE scanning.
|
||||||
|
# Regenerate with: docker compose exec backend pip freeze > backend/requirements-lock.txt
|
||||||
|
alembic==1.18.4
|
||||||
|
annotated-types==0.7.0
|
||||||
|
anyio==4.13.0
|
||||||
|
APScheduler==3.11.2
|
||||||
|
atlassian-python-api==4.0.7
|
||||||
|
bcrypt==4.0.1
|
||||||
|
beautifulsoup4==4.15.0
|
||||||
|
boto3==1.43.27
|
||||||
|
botocore==1.43.27
|
||||||
|
brotli==1.2.0
|
||||||
|
certifi==2026.5.20
|
||||||
|
cffi==2.0.0
|
||||||
|
charset-normalizer==3.4.7
|
||||||
|
click==8.4.1
|
||||||
|
cssselect2==0.9.0
|
||||||
|
defusedxml==0.7.1
|
||||||
|
Deprecated==1.3.1
|
||||||
|
docxtpl==0.20.2
|
||||||
|
fastapi==0.136.3
|
||||||
|
fonttools==4.63.0
|
||||||
|
greenlet==3.5.1
|
||||||
|
h11==0.16.0
|
||||||
|
httpcore==1.0.9
|
||||||
|
httptools==0.8.0
|
||||||
|
httpx==0.28.1
|
||||||
|
idna==3.18
|
||||||
|
isodate==0.7.2
|
||||||
|
Jinja2==3.1.6
|
||||||
|
jmespath==1.1.0
|
||||||
|
limits==5.8.0
|
||||||
|
lxml==6.1.1
|
||||||
|
Mako==1.3.12
|
||||||
|
MarkupSafe==3.0.3
|
||||||
|
oauthlib==3.3.1
|
||||||
|
packaging==26.2
|
||||||
|
passlib==1.7.4
|
||||||
|
pillow==12.2.0
|
||||||
|
psycopg2-binary==2.9.12
|
||||||
|
pycparser==3.0
|
||||||
|
pydantic==2.13.4
|
||||||
|
pydantic-settings==2.14.1
|
||||||
|
pydantic_core==2.46.4
|
||||||
|
pydyf==0.12.1
|
||||||
|
PyJWT==2.13.0
|
||||||
|
pyphen==0.17.2
|
||||||
|
python-dateutil==2.9.0.post0
|
||||||
|
python-docx==1.2.0
|
||||||
|
python-dotenv==1.2.2
|
||||||
|
python-multipart==0.0.32
|
||||||
|
python3-saml==1.16.0
|
||||||
|
pytz==2026.2
|
||||||
|
PyYAML==6.0.3
|
||||||
|
redis==8.0.0
|
||||||
|
requests==2.34.2
|
||||||
|
requests-oauthlib==2.0.0
|
||||||
|
s3transfer==0.18.0
|
||||||
|
six==1.17.0
|
||||||
|
slowapi==0.1.9
|
||||||
|
sortedcontainers==2.4.0
|
||||||
|
soupsieve==2.8.4
|
||||||
|
SQLAlchemy==2.0.50
|
||||||
|
starlette==1.3.0
|
||||||
|
taxii2-client==2.3.0
|
||||||
|
tempo-api-python-client==0.12.0
|
||||||
|
tinycss2==1.5.1
|
||||||
|
tinyhtml5==2.1.0
|
||||||
|
toml==0.10.2
|
||||||
|
typing-inspection==0.4.2
|
||||||
|
typing_extensions==4.15.0
|
||||||
|
tzlocal==5.3.1
|
||||||
|
urllib3==2.7.0
|
||||||
|
uvicorn==0.49.0
|
||||||
|
uvloop==0.22.1
|
||||||
|
watchfiles==1.2.0
|
||||||
|
weasyprint==69.0
|
||||||
|
webencodings==0.5.1
|
||||||
|
websockets==16.0
|
||||||
|
wrapt==2.2.1
|
||||||
|
xmlsec==1.3.17
|
||||||
|
zopfli==0.4.3
|
||||||
Reference in New Issue
Block a user