chore: Add Security Scan Workflow

[ruuushhh]

Description

                    fix: TLS vulnerability

                    ## Clickup
                    https://app.clickup.com/

Summary by CodeRabbit

• Chores
  • Introduced an automated process that performs security scans on pull request events, ensuring robust checks on critical dependency updates.
  • Added a new dependency: future==0.18.2.

[coderabbitai]

Caution

Review failed

The head commit changed during the review from fb955d5 to 19e1f6a.

Walkthrough

A new GitHub Actions workflow file (.github/workflows/security-scan.yml) has been added. This workflow is triggered by pull request events on the master branch. It checks out the repository with full history and examines changes in package-lock.json and requirements.txt files. If modifications are found, it runs a vulnerability scan using the specified action; otherwise, it logs a message indicating the scan is skipped. Additionally, a new dependency future==0.18.2 has been added to the requirements.txt file.

Changes

File(s)	Change Summary
.github/workflows/security-scan.yml	Introduces a new workflow that runs on pull request events targeting master. It checks out the repository, identifies changes in package-lock.json and requirements.txt, and conditionally triggers a vulnerability scan.
requirements.txt	Adds a new dependency: future==0.18.2.

Possibly related PRs

• fix: Medium vulnerabilities #752: Introduces updates to requirements.txt that directly relate to the vulnerability scanning triggered in this workflow.

Suggested reviewers

• ashwin1111
• Hrishabh17

Poem

I’m a clever bunny with code so bright,
Hoping to secure our repo day and night.
New workflows spring up like blossoms in May,
Scanning each change in a curious way.
Celebrating improvements with a joyous hop—hip, hip, hooray!
🐰✨
Enjoy the secure code parade!

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/security-scan.yml (1)

10-15: Vulnerability Scanner Step & Version Pinning Advisory
The step correctly invokes the fylein/vulnerability-scan-action and passes the necessary github_token and is_submodule parameters. However, using a dynamic reference (@master) can lead to unexpected changes. For better reproducibility and security, consider pinning the action to a specific version (e.g., a released tag or commit hash).

Example diff:

-        uses: fylein/vulnerability-scan-action@master
+        uses: fylein/[email protected]

Please refer to the action’s documentation for the recommended stable version.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ace3fbd and f96817e.

📒 Files selected for processing (1)

• .github/workflows/security-scan.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: pytest

🔇 Additional comments (3)

.github/workflows/security-scan.yml (3)

1-2: Clear Workflow Name
The workflow is clearly named "Security Scan", which effectively communicates its purpose.

---

3-6: Appropriate Trigger Configuration
The workflow is triggered on pull request events for opened, synchronize, and reopened actions. This correctly ensures that vulnerability scans run at the necessary PR stages.

---

7-9: Job Definition Validation
The security-scan job is configured to run on ubuntu-latest, which is standard and ensures access to an up-to-date environment.

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 21s ⏱️

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 8s ⏱️

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between f96817e and 3667425.

📒 Files selected for processing (1)

• .github/workflows/security-scan.yml (1 hunks)

🧰 Additional context used

🪛 YAMLlint (1.35.1)

.github/workflows/security-scan.yml

[error] 20-20: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 20-20: trailing spaces

(trailing-spaces)

🔇 Additional comments (3)

.github/workflows/security-scan.yml (3)

1-2: Workflow Name and Overview

The workflow is named "Security Scan," which clearly reflects its intent. The naming is descriptive and appropriate for a security-related workflow.

---

3-11: Workflow Trigger Configuration

The trigger is configured for pull request events (opened, synchronize, reopened) on the master branch with a path filter for **/package-lock.json and **/requirements.txt. Ensure that this narrow trigger scope matches your security scanning objectives—as it will only run when these specific dependency files change.

---

12-15: Job Configuration Verification

The job named security-scan is correctly defined to run on the ubuntu-latest runner. The structure of the job configuration aligns with standard GitHub Actions practices.

[coderabbitai]

🛠️ Refactor suggestion

Vulnerability Scanner Step & Static Analysis Fixes

The step using fylein/vulnerability-scan-action@master correctly integrates the vulnerability scan. However, I recommend pinning the action to a specific release tag (for example, v1.0.0) to ensure stability and reproducibility.
Additionally, YAMLlint flagged trailing spaces at the end of line 20 and the absence of a newline character at the file's end. Please remove the trailing spaces and add a newline.

Proposed diff:

-          is_submodule: true 
+          is_submodule: true

(Also ensure that the file ends with a newline character.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Run Vulnerability Scanner
	uses: fylein/vulnerability-scan-action@master
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	is_submodule: true
	- name: Run Vulnerability Scanner
	uses: fylein/vulnerability-scan-action@master
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	is_submodule: true

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 20-20: no new line character at the end of file

(new-line-at-end-of-file)

---

[error] 20-20: trailing spaces

(trailing-spaces)

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 3s ⏱️

[github-actions]

🔍 Security Scan Results

⛔️ Action Required: 13 Critical/High severity vulnerabilities found

Found 17 total vulnerabilities

Path	VulnerabilityID	PackageName	Severity	InstalledVersion	FixedVersion
requirements.txt	CVE-2022-28346	Django	🔴 CRITICAL	3.2.11	2.2.28, 3.2.13, 4.0.4
requirements.txt	CVE-2022-28347	Django	🔴 CRITICAL	3.2.11	2.2.28, 3.2.13, 4.0.4
requirements.txt	CVE-2022-34265	Django	🔴 CRITICAL	3.2.11	3.2.14, 4.0.6
requirements.txt	CVE-2023-31047	Django	🔴 CRITICAL	3.2.11	3.2.19, 4.1.9, 4.2.1
requirements.txt	CVE-2022-23833	Django	🟠 HIGH	3.2.11	2.2.27, 3.2.12, 4.0.2
requirements.txt	CVE-2022-36359	Django	🟠 HIGH	3.2.11	3.2.15, 4.0.7
requirements.txt	CVE-2022-41323	Django	🟠 HIGH	3.2.11	3.2.16, 4.0.8, 4.1.2
requirements.txt	CVE-2023-23969	Django	🟠 HIGH	3.2.11	3.2.17, 4.0.9, 4.1.6
requirements.txt	CVE-2023-24580	Django	🟠 HIGH	3.2.11	3.2.18, 4.1.7, 4.0.10
requirements.txt	CVE-2023-36053	Django	🟠 HIGH	3.2.11	3.2.20, 4.1.10, 4.2.3
requirements.txt	CVE-2023-43665	Django	🟠 HIGH	3.2.11	3.2.22, 4.1.12, 4.2.6
requirements.txt	CVE-2023-46695	Django	🟠 HIGH	3.2.11	3.2.23, 4.1.13, 4.2.7
requirements.txt	CVE-2024-24680	Django	🟠 HIGH	3.2.11	3.2.24, 4.2.10, 5.0.2
requirements.txt	CVE-2022-22818	Django	🟡 MEDIUM	3.2.11	2.2.27, 3.2.12, 4.0.2
requirements.txt	CVE-2023-41164	Django	🟡 MEDIUM	3.2.11	3.2.21, 4.1.11, 4.2.5
requirements.txt	CVE-2024-27351	Django	🟡 MEDIUM	3.2.11	3.2.25, 4.2.11, 5.0.3
requirements.txt	CVE-2024-45231	Django	🟡 MEDIUM	3.2.11	5.1.1, 5.0.9, 4.2.16

Remediation

⚠️ Action Required: Critical/High severity vulnerabilities must be fixed before merging

• Update vulnerable packages to their fixed versions where available
• Run trivy fs --scanners vuln . locally to see more details

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

requirements.txt (1)

5-5: Django Version Downgrade and Compatibility Check

The Django version has been downgraded from 4.2.20 to 3.2.11. Please verify that this downgrade is intentional and that version 3.2.11 meets all current security and feature requirements for the project. Downgrading may affect compatibility with third-party packages and newer Django features. Ensure that proper regression tests and compatibility checks via your security scan workflow are in place.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 3667425 and 3b8cea1.

📒 Files selected for processing (1)

• requirements.txt (1 hunks)

[github-actions]

🔍 Security Scan Results

⛔️ Action Required: 1 Critical/High severity vulnerabilities found

Found 1 total vulnerabilities

Path	VulnerabilityID	PackageName	Severity	InstalledVersion	FixedVersion
requirements.txt	CVE-2022-40899	future	🟠 HIGH	0.18.2	0.18.3

Remediation

⚠️ Action Required: Critical/High severity vulnerabilities must be fixed before merging

• Update vulnerable packages to their fixed versions where available
• Run trivy fs --scanners vuln . locally to see more details

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 18s ⏱️

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 8s ⏱️

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 18s ⏱️

[github-actions]

🔍 Security Scan Results

⛔️ Action Required: 1 Critical/High severity vulnerabilities found

Found 1 total vulnerabilities

Path	VulnerabilityID	PackageName	Severity	InstalledVersion	FixedVersion
requirements.txt	CVE-2022-40899	future	🟠 HIGH	0.18.2	0.18.3

Remediation

⚠️ Action Required: Critical/High severity vulnerabilities must be fixed before merging

• Update vulnerable packages to their fixed versions where available
• Run trivy fs --scanners vuln . locally to see more details

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.github/workflows/security-scan.yml (2)

13-15: Update Checkout Action Version
The workflow uses actions/checkout@v3 (line 13), but static analysis (actionlint) indicates that this version may be outdated. Consider upgrading to a newer version (for example, actions/checkout@v4) to benefit from the latest improvements and bug fixes.

🧰 Tools

🪛 actionlint (1.7.4)

13-13: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

---

35-35: Ensure File Ends with a Newline
YAMLlint has flagged that the file does not end with a newline character. Please add a newline at the end of the file to comply with standard formatting guidelines.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between 886c6a1 and dadd552.

📒 Files selected for processing (1)

• .github/workflows/security-scan.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/security-scan.yml

13-13: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🔇 Additional comments (1)

.github/workflows/security-scan.yml (1)

27-30: Pin Vulnerability Scan Action & Remove Trailing Whitespace
The vulnerability scan step (lines 27–30) currently uses fylein/vulnerability-scan-action@master. For stability and reproducibility, it is recommended to pin this action to a specific release tag (e.g., v1.0.0). Additionally, please remove any trailing whitespace from this block (notably at the end of line 30) to resolve YAMLlint warnings.

[github-actions]

Tests	Skipped	Failures	Errors	Time
272	0 💤	0 ❌	0 🔥	1m 17s ⏱️

[github-actions]

Tests	Skipped	Failures	Errors	Time
277	0 💤	0 ❌	0 🔥	1m 20s ⏱️

[github-actions]

Tests	Skipped	Failures	Errors	Time
277	0 💤	0 ❌	0 🔥	1m 4s ⏱️

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 93.63%. Comparing base (9c06d6c) to head (19e1f6a).
Report is 19 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #762      +/-   ##
==========================================
- Coverage   94.15%   93.63%   -0.52%     
==========================================
  Files          64       67       +3     
  Lines        5095     5266     +171     
==========================================
+ Hits         4797     4931     +134     
- Misses        298      335      +37     

see 15 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.