fix(security): unblock Security Audit and route its failures to Slack#508
Conversation
OSV no longer surfaces CVE-2024-34997 / PYSEC-2024-277 for the pinned joblib 1.4.2, so the two IgnoredVulns entries match nothing. OSV-Scanner v2 exits non-zero on ignore entries that match nothing in the current scan, which failed the Security Audit job on push to main even though the scan found zero vulnerabilities. Drop the now-unused suppressions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Su9dsdnq5qaQyTZ9CdkVBb
The Slack failure notifier reacts only to workflows named in its workflow_run trigger list, which omitted "Security Audit". A failing security audit on push/schedule therefore went unannounced. Add it to the watched list so dependency-vulnerability failures surface in Slack like the other gating workflows. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Su9dsdnq5qaQyTZ9CdkVBb
|
Claude finished @murray-ds's task in 1m 9s —— View job PR Review
SummaryThis is a clean, well-scoped fix. Both root causes are correctly diagnosed and the changes are minimal and targeted. Nothing blocking.
|
The policy header already documents the suppression format; drop the parenthetical explaining OSV-Scanner's exit-code behavior and keep just the "No active suppressions" marker. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Su9dsdnq5qaQyTZ9CdkVBb
Codecov Report✅ All modified and coverable lines are covered by tests. 🚀 New features to boost your workflow:
|
Summary
The Security Audit workflow has been failing on
main(e.g. run 27669555335, the Dependabot dev-dependency bump), and the failure was never announced in Slack. This PR fixes both.1. Stale OSV-Scanner suppression → failing job
The scan found zero vulnerabilities, but exited non-zero:
osv-scanner.tomlsuppressed the disputed joblibCVE-2024-34997/PYSEC-2024-277advisory. joblib1.4.2is still pinned, but OSV no longer surfaces that advisory for it, so both ignore entries match nothing — and OSV-Scanner v2 treats unused ignores as a non-clean run. On apushtomainthe workflow's gate is hard, so the job failed. Removing the now-dead suppressions lets the scan pass.2. Security Audit failures weren't reaching Slack
slack-notifications.ymlonly reacts to workflows listed in itsworkflow_runtrigger, and"Security Audit"was missing. So even a genuine vulnerability gate failure would have gone unannounced. Added it to the watched list, alongside the other gating workflows.Changes
osv-scanner.toml— drop the two unused[[IgnoredVulns]]entries; keep the policy header and note why stale suppressions must be removed..github/workflows/slack-notifications.yml— add"Security Audit"to the watchedworkflow_runworkflows.Notes
🤖 Generated with Claude Code
https://claude.ai/code/session_01Su9dsdnq5qaQyTZ9CdkVBb
Generated by Claude Code