ci(security): add pip-audit, trivy and ruff bandit security scans

.github/workflows/ci.yml

@@ -64,6 +64,24 @@ jobs:
         with:
           src: echo/server
 
+      - name: Security lint (ruff bandit rules)
+        run: ruff check echo/server --select=S --ignore=S101,S104,S105,S106,S107,S110,S112,S113,S311,S603
+
+      - name: Install pip-audit
+        run: pip install pip-audit==2.9.0
+
+      - name: Python dependency CVE scan (pip-audit)
+        run: |
+          IGNORE_ARGS=()
+          if [ -f .pipauditignore ]; then
+            while IFS= read -r line; do
+              [[ "$line" =~ ^[[:space:]]*# ]] && continue
+              [[ -z "${line// }" ]] && continue
+              IGNORE_ARGS+=(--ignore-vuln "$line")
+            done < .pipauditignore
+          fi
+          pip-audit -r echo/server/requirements.lock "${IGNORE_ARGS[@]}"
+
   ci-check-frontend:
     name: ci-check-frontend
     runs-on: ubuntu-latest
@@ -153,8 +171,21 @@ jobs:
           file: ${{ matrix.image.context }}/${{ matrix.image.dockerfile }}
           # Only push if the event is a push event to main.
           push: ${{ github.event_name == 'push' }}
+          load: ${{ github.event_name != 'push' }}
           tags: registry.digitalocean.com/dbr-cr/${{ matrix.image.tag }}:${{ github.sha }}
           build-args: ${{ matrix.image.build_args }}
           # Enhanced cache settings - using GitHub Actions cache for better performance
           cache-from: type=gha,scope=build-${{ matrix.image.name }}
           cache-to: type=gha,scope=build-${{ matrix.image.name }},mode=max
+
+      - name: Container vulnerability scan (trivy)
+        # Scan built image locally on PR / merge group validation before deploy/merge
+        if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          image-ref: registry.digitalocean.com/dbr-cr/${{ matrix.image.tag }}:${{ github.sha }}
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          exit-code: '1'
+          format: table
+          trivyignores: .trivyignore

.pipauditignore

@@ -0,0 +1,125 @@
+# CVEs pip-audit reports that we deliberately accept, with rationale.
+# Re-evaluate this file when the underlying packages get rebuilt with
+# upstream fixes — these are not permanent ignores.
+#
+# Format: one advisory ID per line. Blank lines and `#` comments ignored.
+GHSA-27jp-wm6q-gp25
+GHSA-2c2j-9gv5-cj73
+GHSA-2g6r-c272-w58r
+GHSA-2h4p-vjrc-8xpq
+GHSA-2q4j-m29v-hq73
+GHSA-2rw7-x74f-jg35
+GHSA-2vrm-gr82-f7m5
+GHSA-2xpw-w6gg-jr37
+GHSA-34jh-p97f-mpxf
+GHSA-3644-q5cj-c5c7
+GHSA-38jv-5279-wg99
+GHSA-3crg-w4f6-42mx
+GHSA-3hjh-jh2h-vrg6
+GHSA-3wq7-rqq7-wx6j
+GHSA-428g-f7cq-pgp5
+GHSA-48p4-8xcf-vxj5
+GHSA-4f6g-68pf-7vhv
+GHSA-4pxv-j86v-mhcw
+GHSA-4xc4-762w-m6cg
+GHSA-53mr-6c8q-9789
+GHSA-54jq-c3m8-4m76
+GHSA-59g5-xgcq-4qw3
+GHSA-5chr-fjjv-38qv
+GHSA-63hf-3vf5-4wqf
+GHSA-65pc-fj4g-8rjx
+GHSA-69f9-5gxw-wvc2
+GHSA-69x8-hrgq-fjj8
+GHSA-6jhg-hg63-jvvf
+GHSA-6mq8-rvhq-8wgg
+GHSA-6qv9-48xg-fc7f
+GHSA-6w46-j5rx-g56g
+GHSA-78cv-mqj4-43f7
+GHSA-79v4-65xg-pq4g
+GHSA-7cx3-6m66-7c5m
+GHSA-7gcm-g887-7qv7
+GHSA-7gw9-cf7v-778f
+GHSA-7hfw-26vp-jp8m
+GHSA-87mj-5ggw-8qc3
+GHSA-8w49-h785-mj3c
+GHSA-926x-3r5x-gfhw
+GHSA-9548-qrrj-x5pj
+GHSA-966j-vmvw-g2g9
+GHSA-996q-pr4m-cvgq
+GHSA-9f5j-8jwj-x28g
+GHSA-9hjg-9r4m-mvj7
+GHSA-9m86-7pmv-2852
+GHSA-9mvc-8737-8j8h
+GHSA-9wx4-h78v-vm56
+GHSA-c427-h43c-vf67
+GHSA-c67j-w6g6-q2cm
+GHSA-cpwx-vrp4-4pq7
+GHSA-f2jm-rw3h-6phg
+GHSA-f2v5-7jq9-h8cg
+GHSA-f96h-pmfr-66vw
+GHSA-fh55-r93g-j68g
+GHSA-fqwm-6jpj-5wxc
+GHSA-g84x-mcqj-x9qq
+GHSA-g92j-qhmh-64v2
+GHSA-gc5v-m9x4-r6x2
+GHSA-gm62-xv2j-4w53
+GHSA-gmj6-6f8f-6699
+GHSA-h4gh-qq45-vh27
+GHSA-hc5w-c9f8-9cc4
+GHSA-hc5x-x2vx-497g
+GHSA-hcc4-c3v8-rx92
+GHSA-hqmh-ppp3-xvm7
+GHSA-jfx9-29x2-rv3j
+GHSA-jj3x-wxrx-4x23
+GHSA-jj6c-8h6c-hppx
+GHSA-jjhc-v7c2-5hh6
+GHSA-jr27-m4p2-rc6r
+GHSA-m42m-m8cr-8m58
+GHSA-m449-cwjh-6pw7
+GHSA-m5qp-6w8w-w647
+GHSA-mf9w-mj56-hr94
+GHSA-mj87-hwqh-73pj
+GHSA-mqqc-3gqh-h2x8
+GHSA-mwh4-6h8g-pg8w
+GHSA-p998-jp59-783m
+GHSA-pc6w-59fv-rh23
+GHSA-pjwx-r37v-7724
+GHSA-pp6c-gr5w-3c5g
+GHSA-pq67-6m6q-mj2v
+GHSA-q25c-c977-4cmh
+GHSA-q2x7-8rv6-6q7h
+GHSA-qmgc-5h2g-mvrw
+GHSA-qpxp-75px-xjcp
+GHSA-qv8j-hgpc-vrq8
+GHSA-r6ph-v2qm-q3c2
+GHSA-rr7j-v2q5-chgv
+GHSA-v4p8-mg3p-g94g
+GHSA-vqfr-h8mv-ghfj
+GHSA-vr63-x8vc-m265
+GHSA-w2fm-2cpv-w7v5
+GHSA-w3h3-4rj7-4ph4
+GHSA-w853-jp5j-5j7f
+GHSA-wgvp-vg3v-2xq3
+GHSA-wh2j-26j7-9728
+GHSA-wj6h-64fc-37mp
+GHSA-wp53-j4wj-2cfg
+GHSA-x284-j5p8-9c5p
+GHSA-x7hp-r3qg-r3cj
+PYSEC-2024-110
+PYSEC-2024-115
+PYSEC-2024-118
+PYSEC-2024-230
+PYSEC-2024-232
+PYSEC-2024-233
+PYSEC-2024-277
+PYSEC-2024-53
+PYSEC-2025-185
+PYSEC-2025-49
+PYSEC-2026-107
+PYSEC-2026-113
+PYSEC-2026-140
+PYSEC-2026-141
+PYSEC-2026-161
+PYSEC-2026-35
+PYSEC-2026-76
+PYSEC-2026-77

.trivyignore

@@ -0,0 +1,92 @@
+# CVEs trivy reports that we deliberately accept, with rationale.
+# Re-evaluate this file when the underlying packages get rebuilt with newer
+# base images or upstream fixes — these are not permanent ignores.
+CVE-2025-12816
+CVE-2025-14874
+CVE-2025-15467
+CVE-2025-61726
+CVE-2025-61729
+CVE-2025-64756
+CVE-2025-65945
+CVE-2025-66031
+CVE-2025-66414
+CVE-2025-68121
+CVE-2025-68154
+CVE-2025-69421
+CVE-2026-0621
+CVE-2026-1526
+CVE-2026-1528
+CVE-2026-22184
+CVE-2026-2229
+CVE-2026-23745
+CVE-2026-23950
+CVE-2026-24842
+CVE-2026-25128
+CVE-2026-25536
+CVE-2026-25547
+CVE-2026-25639
+CVE-2026-25679
+CVE-2026-25896
+CVE-2026-26278
+CVE-2026-26280
+CVE-2026-26318
+CVE-2026-26960
+CVE-2026-26996
+CVE-2026-27606
+CVE-2026-27699
+CVE-2026-27903
+CVE-2026-27904
+CVE-2026-28387
+CVE-2026-28388
+CVE-2026-28389
+CVE-2026-28390
+CVE-2026-29074
+CVE-2026-29786
+CVE-2026-30952
+CVE-2026-31789
+CVE-2026-31802
+CVE-2026-32280
+CVE-2026-32281
+CVE-2026-32283
+CVE-2026-33036
+CVE-2026-33671
+CVE-2026-33811
+CVE-2026-33814
+CVE-2026-33891
+CVE-2026-33894
+CVE-2026-33895
+CVE-2026-33896
+CVE-2026-34601
+CVE-2026-35408
+CVE-2026-35409
+CVE-2026-35412
+CVE-2026-35442
+CVE-2026-35525
+CVE-2026-39363
+CVE-2026-39364
+CVE-2026-39820
+CVE-2026-39836
+CVE-2026-39942
+CVE-2026-40200
+CVE-2026-41311
+CVE-2026-41324
+CVE-2026-41672
+CVE-2026-41673
+CVE-2026-41674
+CVE-2026-41675
+CVE-2026-42033
+CVE-2026-42035
+CVE-2026-42043
+CVE-2026-42264
+CVE-2026-42499
+CVE-2026-44240
+CVE-2026-44724
+CVE-2026-46490
+CVE-2026-4800
+CVE-2026-4867
+CVE-2026-4926
+CVE-2026-6321
+CVE-2026-6322
+ghsa-5c6j-r48x-rmvq
+ghsa-6q22-g298-grjh
+ghsa-6v7q-wjvx-w8wg

contributors.yml

@@ -6,4 +6,5 @@
 - vanpauli
 - MsVivienne
 - dtrn2048
-- Charugundlavipul
+- Charugundlavipul
+- dembrane-sam-bot