Hi @reyammer @invernizzi ,
Magika has strong security foundations (CodeQL, Scorecard, Dependabot), but no CI step that audits dependency trees against known CVE advisory databases. I ran audits locally across all ecosystems and wanted to share what I found.
Audit results (summary screenshot attached):
Python (pip-audit): 0 vulnerabilities
Go (govulncheck): 0 reachable (20 stdlib, not called)
JS js/ (yarn audit): 134 vulns (66 high, 49 moderate, 19 low)
JS website-ng/ (npm audit): 9 vulns (5 high, 4 moderate)
JS website/ (yarn audit): 13 vulns (5 high, 8 moderate)
Roughly half the JS vulnerabilities are fixable via npm audit fix or yarn upgrade. The remainder — primarily the tar vulnerability chain in js/ — are blocked on an upstream fix from @tensorflow/tfjs-node.
Proposal: Add a security-audit.yml workflow that runs all five audit tools in parallel on push to main, on PRs, and on a weekly cron (continue-on-error for visibility without blocking merges). Results would go to SARIF → Security tab, artifacts retained 30 days, and a summary table in the step summary.
Also: dependabot.yml is missing gomod for /go and npm for /website-ng — happy to include those in the same PR.
Let me know if this is something you'd want a PR for and if there's a preferred severity threshold for blocking.
example of report:
Hi @reyammer @invernizzi ,
Magika has strong security foundations (CodeQL, Scorecard, Dependabot), but no CI step that audits dependency trees against known CVE advisory databases. I ran audits locally across all ecosystems and wanted to share what I found.
Audit results (summary screenshot attached):
Python (pip-audit): 0 vulnerabilities
Go (govulncheck): 0 reachable (20 stdlib, not called)
JS js/ (yarn audit): 134 vulns (66 high, 49 moderate, 19 low)
JS website-ng/ (npm audit): 9 vulns (5 high, 4 moderate)
JS website/ (yarn audit): 13 vulns (5 high, 8 moderate)
Roughly half the JS vulnerabilities are fixable via npm audit fix or yarn upgrade. The remainder — primarily the tar vulnerability chain in js/ — are blocked on an upstream fix from @tensorflow/tfjs-node.
Proposal: Add a security-audit.yml workflow that runs all five audit tools in parallel on push to main, on PRs, and on a weekly cron (continue-on-error for visibility without blocking merges). Results would go to SARIF → Security tab, artifacts retained 30 days, and a summary table in the step summary.
Also: dependabot.yml is missing gomod for /go and npm for /website-ng — happy to include those in the same PR.
Let me know if this is something you'd want a PR for and if there's a preferred severity threshold for blocking.
example of report: