Skip to content

fix: sync pyproject.toml dependencies with requirements.txt and add CodeQL SAST workflow#1703

Open
namann5 wants to merge 1 commit into
utksh1:mainfrom
namann5:fix/missing-dependencies-and-codeql
Open

fix: sync pyproject.toml dependencies with requirements.txt and add CodeQL SAST workflow#1703
namann5 wants to merge 1 commit into
utksh1:mainfrom
namann5:fix/missing-dependencies-and-codeql

Conversation

@namann5

@namann5 namann5 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

The pyproject.toml declares runtime dependencies that are inconsistent with backend/requirements.txt. Three critical packages — cryptography, httpx, and openai — are present in requirements.txt but missing from pyproject.toml.

This means any installation via pip install . or future PyPI publication silently omits these packages, causing runtime failures in core features:

Missing Package Broken Feature Impact
cryptography>=42.0.0 VaultCrypto AES-256-GCM encryption (backend/secuscan/vault.py) Credential vault raises ImportError; all stored secrets become inaccessible
httpx>=0.28.1 Webhook notification delivery (backend/secuscan/notification_service.py) All webhook/Slack notifications silently fail
openai>=1.0.0 AI Executive Summary (backend/secuscan/ai_summary.py) AI summary feature raises ImportError at call time

Steps to Reproduce

  1. pip install . (or create a fresh venv and install from pyproject.toml)
  2. Start SecuScan
  3. Attempt to use the credential vault, webhook notifications, or AI summary
  4. Observe ModuleNotFoundError / ImportError at runtime

Root Cause

pyproject.toml at line 11-22 lists 11 dependencies. backend/requirements.txt at line 2, 13-14 lists 3 additional packages (cryptography, httpx, openai) that are imported and used at runtime but never declared in the project metadata.

Proposed Fix

PR adds the missing dependencies to pyproject.toml:

dependencies = [
    ...
    "cryptography>=42.0.0",
    "httpx>=0.28.1",
    "openai>=1.0.0",
]

Additionally adds a CodeQL security analysis workflow for CI SAST scanning and a .python-version file for consistent local development.

…odeQL SAST workflow

- Add cryptography>=42.0.0, httpx>=0.28.1, openai>=1.0.0 to pyproject.toml
  to match backend/requirements.txt. Without these, pip install . silently
  omits vault encryption (cryptography), webhook delivery (httpx), and
  AI summary features (openai), causing runtime failures.
- Add CodeQL security analysis workflow to catch vulnerabilities during CI.
- Add .python-version for consistent local Python version management.
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants