Skip to content

ci: add CVE Lite dependency audit workflow#1966

Open
sonukapoor wants to merge 1 commit into
openai:mainfrom
sonukapoor:feature/add-cve-lite-security-scan
Open

ci: add CVE Lite dependency audit workflow#1966
sonukapoor wants to merge 1 commit into
openai:mainfrom
sonukapoor:feature/add-cve-lite-security-scan

Conversation

@sonukapoor

@sonukapoor sonukapoor commented Jul 3, 2026

Copy link
Copy Markdown

This PR adds a CVE Lite CLI dependency audit workflow to the openai-node CI pipeline.

A scan of the current pnpm-lock.yaml found 1 high-severity advisory in a direct dependency:

Direct high-severity finding:

  • next@14.2.35 in examples/ - authorization bypass via improper cache handling (CVE-2025-29927, GHSA-f82v-jwr5-mffw) - fix: pnpm add --filter ./examples next@15.5.16

The examples/ directory is part of the published repository and runs a Next.js app that developers clone and run locally. An unpatched version of next in a reference implementation can propagate into downstream projects that copy the example code.

The workflow runs on push, pull request, and weekly schedule. Findings are uploaded to GitHub's Security tab as SARIF.

Tool: CVE Lite CLI is an OWASP Lab Project. It reads the lockfile locally, queries the OSV database, and surfaces direct dependency findings with actionable fix commands.

@sonukapoor sonukapoor requested a review from a team as a code owner July 3, 2026 12:40

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 08f94564f3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

if: always() && hashFiles('*.sarif') != ''
uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4
with:
sarif_file: cve-lite-*.sarif

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Point upload-sarif at a real path

In runs where CVE Lite writes its timestamped cve-lite-scan-<timestamp>.sarif, this input is passed literally to github/codeql-action/upload-sarif; the upload action documents sarif_file as a file or directory and its implementation checks the path with fs.existsSync, so it does not expand cve-lite-*.sarif. Because the preceding hashFiles('*.sarif') guard will be true, the upload step fails with Path does not exist: cve-lite-*.sarif instead of publishing the scan results; use the workspace/directory path or a fixed filename.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant