Skip to content

Critical: pyproject.toml missing runtime dependencies causing silent failures (cryptography, httpx, openai) #1702

Description

@namann5

Summary

The pyproject.toml declares runtime dependencies that are inconsistent with backend/requirements.txt. Three critical packages — cryptography, httpx, and openai — are present in requirements.txt but missing from pyproject.toml.

This means any installation via pip install . or future PyPI publication silently omits these packages, causing runtime failures in core features:

Missing Package Broken Feature Impact
cryptography>=42.0.0 VaultCrypto AES-256-GCM encryption (backend/secuscan/vault.py) Credential vault raises ImportError; all stored secrets become inaccessible
httpx>=0.28.1 Webhook notification delivery (backend/secuscan/notification_service.py) All webhook/Slack notifications silently fail
openai>=1.0.0 AI Executive Summary (backend/secuscan/ai_summary.py) AI summary feature raises ImportError at call time

Steps to Reproduce

  1. pip install . (or create a fresh venv and install from pyproject.toml)
  2. Start SecuScan
  3. Attempt to use the credential vault, webhook notifications, or AI summary
  4. Observe ModuleNotFoundError / ImportError at runtime

Root Cause

pyproject.toml at line 11-22 lists 11 dependencies. backend/requirements.txt at line 2, 13-14 lists 3 additional packages (cryptography, httpx, openai) that are imported and used at runtime but never declared in the project metadata.

Proposed Fix

PR adds the missing dependencies to pyproject.toml:

dependencies = [
    ...
    "cryptography>=42.0.0",
    "httpx>=0.28.1",
    "openai>=1.0.0",
]

Additionally adds a CodeQL security analysis workflow for CI SAST scanning and a .python-version file for consistent local development.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions