crewAI

andre/crewAI

Fork 0

mirror of https://github.com/crewAIInc/crewAI.git synced 2026-04-26 04:42:41 +00:00

Commit Graph

Author	SHA1	Message	Date
iris-clawd	931f3556cf	ci: add vulnerability scanning with pip-audit and Snyk (#5242 ) Some checks failed CodeQL Advanced / Analyze (actions) (push) Has been cancelled Details CodeQL Advanced / Analyze (python) (push) Has been cancelled Details Vulnerability Scan / pip-audit (push) Has been cancelled Details Build uv cache / build-cache (3.10) (push) Has been cancelled Details Build uv cache / build-cache (3.11) (push) Has been cancelled Details Build uv cache / build-cache (3.12) (push) Has been cancelled Details Build uv cache / build-cache (3.13) (push) Has been cancelled Details Mark stale issues and pull requests / stale (push) Has been cancelled Details * ci: add vulnerability scanning with pip-audit and Snyk Add a new GitHub Actions workflow that runs on PRs, pushes to main, and weekly: - pip-audit: scans all Python dependencies (direct + transitive) against PyPI Advisory DB and OSV for known CVEs. Outputs JSON report as artifact and posts results to the job summary. - Snyk: optional enterprise-grade scanning (gated behind SNYK_ENABLED repo variable and SNYK_TOKEN secret). Runs on high+ severity and monitors main branch. This addresses the need for automated pre-release vulnerability scanning to catch dependency CVEs before cutting releases. * ci: pin Snyk action to @v1 tag and remove continue-on-error - Pin snyk/actions/python from @master to @v1 to prevent supply chain risk from mutable branch references (matches convention of other actions in the repo using versioned tags) - Remove continue-on-error on the Snyk check step so high+ severity vulnerabilities actually fail the build * ci: fail build when pip-audit crashes without producing a report If pip-audit exits abnormally without writing pip-audit-report.json, the Display Results step now emits an error annotation and exits 1 instead of silently passing. * ci: fix pip-audit failing on local packages Replace --strict with --skip-editable to avoid pip-audit failing when it encounters local/private packages (e.g. crewai-devtools) that are not published on PyPI. The --skip-editable flag tells pip-audit to skip packages installed in editable/development mode while still auditing all published dependencies. * fix: bump vulnerable dependencies and ignore unfixable CVEs Dependency upgrades (via uv lock --upgrade-package): - aiohttp 3.13.3 → 3.13.5 (fixes 10 CVEs) - cryptography 46.0.5 → 46.0.6 (fixes CVE-2026-34073) - pygments 2.19.2 → 2.20.0 (fixes CVE-2026-4539) - onnx 1.20.1 → 1.21.0 (fixes 6 CVEs) - couchbase 4.5.0 → 4.6.0 (fixes PYSEC-2023-235) Temporarily ignored CVEs (cannot be fixed without upstream changes): - CVE-2025-69872 (diskcache): no fix available, latest version - CVE-2026-25645 (requests): needs 2.33.0, blocked by crewai-tools pin - CVE-2026-27448/27459 (pyopenssl): needs 26.0.0, blocked by snowflake-connector-python pin - PYSEC-2023-235 (couchbase): advisory not yet updated for 4.6.0 * chore: remove accidentally committed egg-info files * ci: remove Snyk job, pip-audit is sufficient pip-audit covers Python dependency CVE scanning against PyPI Advisory DB and OSV, which is all we need for pre-release checks. Snyk adds complexity (account setup, token management) without meaningful additional coverage for this use case. --------- Co-authored-by: Greyson LaLonde <greyson.r.lalonde@gmail.com>	2026-04-03 01:44:44 -03:00

Author

SHA1

Message

Date

iris-clawd

931f3556cf

ci: add vulnerability scanning with pip-audit and Snyk (#5242 )

CodeQL Advanced / Analyze (actions) (push) Has been cancelled

Details

CodeQL Advanced / Analyze (python) (push) Has been cancelled

Details

Vulnerability Scan / pip-audit (push) Has been cancelled

Details

Build uv cache / build-cache (3.10) (push) Has been cancelled

Details

Build uv cache / build-cache (3.11) (push) Has been cancelled

Details

Build uv cache / build-cache (3.12) (push) Has been cancelled

Details

Build uv cache / build-cache (3.13) (push) Has been cancelled

Details

Mark stale issues and pull requests / stale (push) Has been cancelled

Details

* ci: add vulnerability scanning with pip-audit and Snyk

Add a new GitHub Actions workflow that runs on PRs, pushes to main, and weekly:

- pip-audit: scans all Python dependencies (direct + transitive) against
  PyPI Advisory DB and OSV for known CVEs. Outputs JSON report as artifact
  and posts results to the job summary.
- Snyk: optional enterprise-grade scanning (gated behind SNYK_ENABLED
  repo variable and SNYK_TOKEN secret). Runs on high+ severity and
  monitors main branch.

This addresses the need for automated pre-release vulnerability scanning
to catch dependency CVEs before cutting releases.

* ci: pin Snyk action to @v1 tag and remove continue-on-error

- Pin snyk/actions/python from @master to @v1 to prevent supply chain
  risk from mutable branch references (matches convention of other
  actions in the repo using versioned tags)
- Remove continue-on-error on the Snyk check step so high+ severity
  vulnerabilities actually fail the build

* ci: fail build when pip-audit crashes without producing a report

If pip-audit exits abnormally without writing pip-audit-report.json,
the Display Results step now emits an error annotation and exits 1
instead of silently passing.

* ci: fix pip-audit failing on local packages

Replace --strict with --skip-editable to avoid pip-audit failing when
it encounters local/private packages (e.g. crewai-devtools) that are
not published on PyPI. The --skip-editable flag tells pip-audit to
skip packages installed in editable/development mode while still
auditing all published dependencies.

* fix: bump vulnerable dependencies and ignore unfixable CVEs

Dependency upgrades (via uv lock --upgrade-package):
- aiohttp 3.13.3 → 3.13.5 (fixes 10 CVEs)
- cryptography 46.0.5 → 46.0.6 (fixes CVE-2026-34073)
- pygments 2.19.2 → 2.20.0 (fixes CVE-2026-4539)
- onnx 1.20.1 → 1.21.0 (fixes 6 CVEs)
- couchbase 4.5.0 → 4.6.0 (fixes PYSEC-2023-235)

Temporarily ignored CVEs (cannot be fixed without upstream changes):
- CVE-2025-69872 (diskcache): no fix available, latest version
- CVE-2026-25645 (requests): needs 2.33.0, blocked by crewai-tools pin
- CVE-2026-27448/27459 (pyopenssl): needs 26.0.0, blocked by
  snowflake-connector-python pin
- PYSEC-2023-235 (couchbase): advisory not yet updated for 4.6.0

* chore: remove accidentally committed egg-info files

* ci: remove Snyk job, pip-audit is sufficient

pip-audit covers Python dependency CVE scanning against PyPI Advisory DB
and OSV, which is all we need for pre-release checks. Snyk adds
complexity (account setup, token management) without meaningful
additional coverage for this use case.

---------

Co-authored-by: Greyson LaLonde <greyson.r.lalonde@gmail.com>

2026-04-03 01:44:44 -03:00

1 Commits