Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/dependency-review-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
fail-on-severity: high
# ecdsa Minerva timing attack (P-256); no upstream fix, transitive via checkov.
# Re-evaluate when checkov drops the ecdsa dependency.
allow-ghsas:
- GHSA-wj6h-64fc-37mp
warn-on-openssf-scorecard-level: 3
comment-summary-in-pr: on-failure
7 changes: 1 addition & 6 deletions .github/workflows/pr-validation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -96,12 +96,7 @@ jobs:
- name: Dependency Review
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
with:
fail-on-severity: high
# ecdsa Minerva timing attack (P-256); no upstream fix, transitive via checkov.
# Re-evaluate when checkov drops the ecdsa dependency. See issue #641.
allow-ghsas: GHSA-wj6h-64fc-37mp
warn-on-openssf-scorecard-level: 3
comment-summary-in-pr: on-failure
config-file: ./.github/dependency-review-config.yml

# Shell script linting
shell-lint:
Expand Down
9 changes: 9 additions & 0 deletions .grype.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,12 @@ ignore:
# inflate error (exit 16). Upstream grype bug; remove when upgrading past 0.86.1
# with the fix included.
- vulnerability: GHSA-rp8m-h266-53jh

# ecdsa 0.19.2 - HIGH severity, no upstream fix
# Justification: Minerva timing attack (CVE-2024-23342 / GHSA-wj6h-64fc-37mp, P-256).
# Pure-Python, transitive via checkov; not exploitable in CI/scan usage.
# Re-evaluate when checkov drops the ecdsa dependency.
- vulnerability: GHSA-wj6h-64fc-37mp
package:
name: ecdsa
type: python
4 changes: 4 additions & 0 deletions osv-scanner.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,7 @@ reason = "rustls-pemfile 1.x: unmaintained; transitive via hyper-rustls. Resolve
[[IgnoredVulns]]
id = "RUSTSEC-2026-0097"
reason = "rand: unsoundness with custom logger; awaiting upstream release."

[[IgnoredVulns]]
id = "GHSA-wj6h-64fc-37mp"
reason = "ecdsa: Minerva timing attack (CVE-2024-23342), P-256; no upstream fix. Transitive via checkov. Re-evaluate when checkov drops the ecdsa dependency."
2 changes: 1 addition & 1 deletion requirements.in
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ python-hcl2~=8.1.2 # HCL2 (Terraform) configuration parser
jinja2~=3.1.6 # Template engine for configuration generation

# Security and Compliance Scanning
checkov~=3.2.529 # Infrastructure security and compliance scanner
checkov~=3.3.6 # Infrastructure security and compliance scanner

# Security-Critical Dependencies (Version Pinned for CVE Remediation)
asteval>=1.0.6 # Safe mathematical expression evaluator
Expand Down
372 changes: 129 additions & 243 deletions requirements.txt

Large diffs are not rendered by default.

Loading
Loading