Security Notice: Dependency Vulnerability Scanning is Currently Non-Blocking in CI
Security Notice: Dependency Vulnerability Scanning is Currently Non-Blocking in CI
Control: SEC-25
Severity: High
Status: Known gap — unresolved
Affected file: .github/workflows/ci.yml
Overview
The CI pipeline for this project includes a dependency-audit job that scans npm dependencies for known vulnerabilities. However, as of v0.1.140, this job is configured to never fail the build, regardless of what vulnerabilities are found.
This page documents the behaviour, the associated risk, and the steps required to remediate it.
Current Behaviour
The relevant step in .github/workflows/ci.yml is:
- run: npm audit --audit-level=high || true
The || true shell operator ensures the step always exits with code 0 (success), even when npm audit detects vulnerabilities at high or critical severity.
Effect:
- Vulnerability findings are printed to the CI log.
- The build job does not fail.
- Pull requests and deployments are not blocked.
- A code comment in the workflow file acknowledges this is intentional but unresolved.
Risk
| Severity | Build behaviour | Deployment blocked? |
|---|---|---|
| Critical | ⚠️ Logged only | No |
| High | ⚠️ Logged only | No |
| Moderate | ⚠️ Logged only | No |
| Low | ⚠️ Logged only | No |
Because no severity level blocks CI, supply-chain vulnerabilities can be introduced and shipped without any explicit approval step. Teams relying on CI green status as a security gate will not be alerted.
Recommended Remediation
Option 1 — Make high/critical findings block CI (recommended)
Remove || true from the audit step:
# .github/workflows/ci.yml
- name: Dependency audit
run: npm audit --audit-level=high
This causes the job to fail — and blocks merges/deployments — whenever a high or critical vulnerability is present in the dependency tree.
Option 2 — Exclude dev dependencies
If vulnerabilities in dev-only packages are considered acceptable (e.g. build tools not shipped to production), restrict the audit scope:
- name: Dependency audit
run: npm audit --audit-level=high --omit=dev
This still blocks on production dependency vulnerabilities while ignoring dev toolchain issues.
Option 3 — Manage exceptions explicitly
For vulnerabilities that are genuinely acceptable (e.g. no exploitable code path exists), document suppressions explicitly rather than using || true:
- Create an
.nsprcoraudit-ciconfiguration file listing approved exception IDs with a justification. - Use a tool such as
audit-ciwhich supports allowlist management:- name: Dependency audit run: npx audit-ci --high
This ensures every suppression is reviewed, version-pinned, and visible in code review.
How to Review Current Findings
Until this is remediated, you can manually review the current vulnerability state by running:
npm audit --audit-level=high
Or for a full report:
npm audit
CI logs for the dependency-audit job also contain the full npm audit output for every build.
Background
This gap was identified as part of a structured security control review (SEC-25) covering supply-chain dependency security. The || true pattern is a common CI workaround used during initial setup to avoid build noise from transitive dependency issues, but it should be treated as temporary and removed once a proper exceptions process is in place.
See Also
- npm audit documentation
- audit-ci — IBM
- NCSC Supply Chain Security Guidance
- Changelog entry: v0.1.140