Summary
The pyproject.toml declares runtime dependencies that are inconsistent with backend/requirements.txt. Three critical packages — cryptography, httpx, and openai — are present in requirements.txt but missing from pyproject.toml.
This means any installation via pip install . or future PyPI publication silently omits these packages, causing runtime failures in core features:
| Missing Package |
Broken Feature |
Impact |
cryptography>=42.0.0 |
VaultCrypto AES-256-GCM encryption (backend/secuscan/vault.py) |
Credential vault raises ImportError; all stored secrets become inaccessible |
httpx>=0.28.1 |
Webhook notification delivery (backend/secuscan/notification_service.py) |
All webhook/Slack notifications silently fail |
openai>=1.0.0 |
AI Executive Summary (backend/secuscan/ai_summary.py) |
AI summary feature raises ImportError at call time |
Steps to Reproduce
pip install . (or create a fresh venv and install from pyproject.toml)
- Start SecuScan
- Attempt to use the credential vault, webhook notifications, or AI summary
- Observe
ModuleNotFoundError / ImportError at runtime
Root Cause
pyproject.toml at line 11-22 lists 11 dependencies. backend/requirements.txt at line 2, 13-14 lists 3 additional packages (cryptography, httpx, openai) that are imported and used at runtime but never declared in the project metadata.
Proposed Fix
PR adds the missing dependencies to pyproject.toml:
dependencies = [
...
"cryptography>=42.0.0",
"httpx>=0.28.1",
"openai>=1.0.0",
]
Additionally adds a CodeQL security analysis workflow for CI SAST scanning and a .python-version file for consistent local development.
Summary
The
pyproject.tomldeclares runtime dependencies that are inconsistent withbackend/requirements.txt. Three critical packages —cryptography,httpx, andopenai— are present inrequirements.txtbut missing frompyproject.toml.This means any installation via
pip install .or future PyPI publication silently omits these packages, causing runtime failures in core features:cryptography>=42.0.0VaultCryptoAES-256-GCM encryption (backend/secuscan/vault.py)ImportError; all stored secrets become inaccessiblehttpx>=0.28.1backend/secuscan/notification_service.py)openai>=1.0.0backend/secuscan/ai_summary.py)ImportErrorat call timeSteps to Reproduce
pip install .(or create a fresh venv and install from pyproject.toml)ModuleNotFoundError/ImportErrorat runtimeRoot Cause
pyproject.tomlat line 11-22 lists 11 dependencies.backend/requirements.txtat line 2, 13-14 lists 3 additional packages (cryptography,httpx,openai) that are imported and used at runtime but never declared in the project metadata.Proposed Fix
PR adds the missing dependencies to
pyproject.toml:Additionally adds a CodeQL security analysis workflow for CI SAST scanning and a
.python-versionfile for consistent local development.