diff --git a/docs/developer-guide/introduction.mdx b/docs/developer-guide/introduction.mdx index 73e73bfbe2..117640c669 100644 --- a/docs/developer-guide/introduction.mdx +++ b/docs/developer-guide/introduction.mdx @@ -152,7 +152,7 @@ These should have been already installed if `uv sync` was already run. - [`bandit`](https://pypi.org/project/bandit/) for code security review. -- [`safety`](https://pypi.org/project/safety/) and [`dependabot`](https://github.com/features/security) for dependencies. +- [`osv-scanner`](https://github.com/google/osv-scanner) and [`dependabot`](https://github.com/features/security) for dependencies. - [`hadolint`](https://github.com/hadolint/hadolint) and [`dockle`](https://github.com/goodwithtech/dockle) for container security. - [`Snyk`](https://docs.snyk.io/integrations/snyk-container-integrations/container-security-with-docker-hub-integration) for container security in Docker Hub. - [`clair`](https://github.com/quay/clair) for container security in Amazon ECR. diff --git a/docs/security/software-security.mdx b/docs/security/software-security.mdx index 4c690e988b..0f9ba94fd2 100644 --- a/docs/security/software-security.mdx +++ b/docs/security/software-security.mdx @@ -39,10 +39,11 @@ Dependencies are continuously monitored for known vulnerabilities with timely up ### Dependency Vulnerability Scanning -- **Safety:** Scans Python dependencies against known vulnerability databases - - Runs on every commit via pre-commit hooks - - Integrated into CI/CD for SDK and API - - Configured with selective ignores for tracked exceptions +- **osv-scanner:** Scans lockfiles against the [OSV.dev](https://osv.dev) vulnerability database + - Runs in CI on every pull request and push for SDK, API, and UI + - Fails the build on `HIGH`, `CRITICAL`, and `UNKNOWN` severity findings + - Posts a per-lockfile report as a PR comment + - Per-vulnerability ignores (with reason and expiry) live in `osv-scanner.toml` at the repo root - **Trivy:** Multi-purpose scanner for containers and dependencies - Scans all container images (UI, API, SDK, MCP Server) - Checks for vulnerabilities in OS packages and application dependencies