ci(security): add pip-audit, trivy and ruff bandit security scans

[dembrane-sam-bot]

This PR introduces comprehensive security auditing workflows to the pull request validation pipeline, aligning dembrane/echo with the security practices used in dembrane/sam.

What this changes

• Pull request checks will now run Ruff's security (Bandit) linter rules to catch common secure-coding issues in python backend server code — .github/workflows/ci.yml
• Python dependencies listed in the server lockfile are audited during PR builds for known CVEs — .github/workflows/ci.yml
• Built Docker images (Directus and API server) are scanned locally on PR runs via Trivy before merging — .github/workflows/ci.yml
• Template .pipauditignore and .trivyignore files are available at the repo root to deliberately ignore specific CVEs with documented rationales — .pipauditignore, .trivyignore

Confidence

Confidence: high. The security audit configurations are modeled directly after the stable, production-tested pipelines in dembrane/sam. The jobs run on PRs without making permanent changes to deployed images or environments.

Summary by CodeRabbit

• Chores
  • Expanded automated security scanning in the continuous integration pipeline to comprehensively detect vulnerabilities in Python package dependencies and container images.
  • Introduced configuration management files to document accepted security exceptions with built-in guidance for periodic re-evaluation when underlying packages and images are updated.
  • Configured security checks to automatically flag and fail builds when critical vulnerabilities are detected.

[coderabbitai]

Warning

Review limit reached

@dembrane-sam-bot, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 25 minutes and 40 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e86e7868-cee0-42b5-aa36-86a602200033

📥 Commits

Reviewing files that changed from the base of the PR and between a34ffe2 and c18b735.

📒 Files selected for processing (4)

• .github/workflows/ci.yml
• .pipauditignore
• .trivyignore
• contributors.yml

Walkthrough

PR extends the CI pipeline with two security scanning tiers: dependency vulnerability checks (Bandit rules + pip-audit CVE scanning of requirements.lock) and container image scanning (Trivy on built image). Both integrate ignore configuration files for deliberate CVE acceptance with periodic re-evaluation guidance.

Changes

CI Security Scanning Enhancement

Layer / File(s)	Summary
Dependency vulnerability scanning .github/workflows/ci.yml, .pipauditignore	ci-check-server job adds ruff Bandit rules (select S, skip S101), pip-audit CVE scan of echo/server/requirements.lock, and dynamic --ignore-vuln argument construction from an optional .pipauditignore file (skipping comments/blanks).
Container image vulnerability scanning .github/workflows/ci.yml, .trivyignore	Docker build-push job loads images on non-push events, adds conditional trivy scan step for pull requests and merge groups on the built image SHA tag, fails on HIGH,CRITICAL severity with ignore-unfixed: true, and applies .trivyignore overrides.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Dembrane/echo#73: Introduced the CI workflow structure; this PR extends existing server build and linting steps with additional vulnerability scanning (Bandit, pip-audit, Trivy) and ignore configuration.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main changes: adding three security scanning tools (pip-audit, trivy, ruff bandit) to the CI workflow, which directly corresponds to the primary modifications across all files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sam/add-security-audits

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 184: The workflow uses a mutable tag for the Trivy action; replace uses:
aquasecurity/trivy-action@v0.36.0 with the action pinned to an immutable commit
SHA (e.g. uses: aquasecurity/trivy-action@<commit-sha>) to prevent supply-chain
tampering—locate the canonical commit SHA for the v0.36.0 release in the
aquasecurity/trivy-action repository and update the uses reference accordingly
in the CI workflow.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6dc0000d-f4b4-41c2-9ddf-fb0b724cda75

📥 Commits

Reviewing files that changed from the base of the PR and between a288780 and a34ffe2.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .pipauditignore
• .trivyignore

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify non-SHA-pinned actions in this workflow.
rg -nP '^\s*uses:\s*[^@]+@([0-9a-fA-F]{40})\s*$|^\s*uses:\s*' .github/workflows/ci.yml | sed -n 'p'

Repository: Dembrane/echo

Length of output: 634

---

Pin aquasecurity/trivy-action to an immutable commit SHA.
Line 184 uses the mutable tag aquasecurity/trivy-action@v0.36.0, which is a supply-chain hardening gap (the workflow also has other tag-pinned uses: entries). LGTM.

Proposed fix

-        uses: aquasecurity/trivy-action@v0.36.0
+        uses: aquasecurity/trivy-action@<FULL_40_CHAR_COMMIT_SHA> # v0.36.0

🧰 Tools

🪛 zizmor (1.25.2)

[error] 184-184: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 184, The workflow uses a mutable tag for
the Trivy action; replace uses: aquasecurity/trivy-action@v0.36.0 with the
action pinned to an immutable commit SHA (e.g. uses:
aquasecurity/trivy-action@<commit-sha>) to prevent supply-chain tampering—locate
the canonical commit SHA for the v0.36.0 release in the
aquasecurity/trivy-action repository and update the uses reference accordingly
in the CI workflow.