This project implements several measures to protect against supply chain attacks:
- Pinned Versions: All dependencies use exact version pins in
requirements.txtandpyproject.toml - Dependency Tracking: Comprehensive dependency reports generated automatically
- Security Scanning: Automated vulnerability scanning with Safety and pip-audit
- Regular Updates: Weekly automated security checks via GitHub Actions
docs/DEPENDENCIES.md- Human-readable dependency reportdocs/dependency-report.json- Machine-readable dependency data- Generated automatically by
scripts/generate_dependency_report.py
- Before Updates: Review current dependency report
- During Updates: Update pinned versions in both
requirements.txtandpyproject.toml - After Updates: Regenerate dependency report and review changes
- Continuous: Monitor security advisories for listed dependencies
If a security vulnerability is discovered in a dependency:
- Check
docs/DEPENDENCIES.mdto see if we use the affected package/version - If affected, update to a patched version immediately
- Regenerate dependency report to document the change
- Test thoroughly before deploying
- Safety: Checks for known security vulnerabilities
- pip-audit: OSV database vulnerability scanning
- GitHub Dependabot: Automated dependency updates (if enabled)
# Install security tools
pip3 install safety pip-audit
# Check for vulnerabilities
safety check
pip-audit
# Generate fresh dependency report
python3 scripts/generate_dependency_report.py- Uses paramiko for secure SSH connections
- Supports key-based authentication
- Connection timeouts and retry logic
- No credential storage in code
- Use SSH keys instead of passwords
- Implement proper key management
- Monitor SSH connection logs
- Use least privilege access
Please report security vulnerabilities to: rory.mcmahon@vocus.com.au
Do not create public GitHub issues for security vulnerabilities.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |