Printed from CheckTick DSPT Compliance Documentation
Vulnerability & Patch Log (Evidence 8.2.1)
Monitoring Tools: pip-audit, ggshield (via pre-commit), GitHub Dependabot, CodeQL.
1. Active Vulnerability Exceptions (Open & Ignored)
Current Status: Zero active exceptions. All previously ignored vulnerabilities have been remediated.
Our security scanning pipeline now operates with zero vulnerability exceptions. All dependencies are monitored in real-time and any new vulnerabilities will cause immediate CI/CD pipeline failure.
Previously Active Exceptions (Now Resolved - January 2025)
The following vulnerabilities were previously silenced but have been fully remediated through dependency architecture improvements:
| Dependency | CVE / GHSA | Resolution Method | Date Resolved |
|---|---|---|---|
Transitive (via ggshield) |
GHSA-79v4-65xg-pq4g | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-48p4-8xcf-vxj5 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-pq67-6m6q-mj2v | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-gm62-xv2j-4w53 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-2xpw-w6gg-jr37 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-wj6h-64fc-37mp | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
PYSEC-2024-187 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-428g-f7cq-pgp5 | Isolated ggshield to pre-commit environment |
18/01/2026 |
Transitive (via ggshield) |
GHSA-38jv-5279-wg99 | Isolated ggshield to pre-commit environment |
18/01/2026 |
cryptography |
CVE-2024-12797 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-50182 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-50181 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-66418 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2025-66471 | Removed dependency pin, updated to latest | 18/01/2026 |
urllib3 |
CVE-2024-3766 | Removed dependency pin, updated to latest | 18/01/2026 |
ecdsa |
CVE-2024-23342 | Removed python-jose dependency entirely |
18/01/2026 |
2. Recently Remediated Patches (Closed)
Verified history of security updates applied. Real-time evidence is available in the CheckTick GitHub repository under the dependencies label and closed issues.
| Date | Dependency | Version Change | Reason / Security Fix | Verified By |
|---|---|---|---|---|
| 18/01/2026 | python-jose |
3.5.0 -> Removed | Eliminated vulnerable ecdsa transitive dependency. JWT functionality provided by djangorestframework-simplejwt |
CTO |
| 18/01/2026 | ggshield |
Moved to pre-commit | Architecture Change: Isolated security scanning tool from production dependencies. Prevents dependency pins from blocking security updates. | CTO |
| 18/01/2026 | cryptography |
Unpinned -> Latest | Removed pin previously required by ggshield. Now free to update immediately when patches released. |
CTO |
| 18/01/2026 | urllib3 |
Unpinned -> Latest | Removed pin previously required by ggshield. Resolved 5 CVEs (CVE-2025-50182, CVE-2025-50181, CVE-2025-66418, CVE-2025-66471, CVE-2024-3766). |
CTO |
| 02/01/2026 | requests |
2.31.0 -> 2.32.0 | Fixed CVE-2024-3651 (Header parsing) | CTO |
| 28/12/2025 | daisyui |
4.x -> 5.4.7 | Dependency refresh & security hardening | CTO |
| 05/12/2025 | jinja2 |
3.1.2 -> 3.1.4 | Fixed GHSA-h75v-3vv6-5qhc (XSS risk) | CTO |
| 12/11/2025 | django |
5.0.x -> 5.1.0 | Minor version upgrade to latest stable | CTO |
| 21/1/2026 | axes-core |
4.11.0 -> 4.11.1 | Patch version upgrade to latest stable | CTO |
3. Automation & Triage Process
- Continuous Auditing: Our
Security ScanGitHub Action runs on every Push, Pull Request, and daily at 06:00 UTC. - Hard Block on Production: If
pip-auditdetects any vulnerability (Critical, High, Medium, or Low), the build fails and deployment is automatically blocked. No exceptions are configured. - Isolated Security Tooling: Security scanning tools (
ggshield,pre-commit) run in isolated environments managed by pre-commit, preventing their dependencies from constraining production packages. - Zero-Exception Policy: Since January 2026, we maintain a zero-exception policy for vulnerability scanning. This ensures immediate visibility and remediation of any new vulnerabilities.
- Endpoint Sync: Developers are required to run
poetry installlocally to synchronize their development environment with the latest patched versions inpoetry.lock, preventing 'version drift' between local and production environments.
4. Architecture Improvements (January 2026)
Key Change: Separated security scanning tool dependencies from application runtime dependencies.
Before:
- Security tools (
ggshield) were installed via Poetry alongside application dependencies - Security tools pinned critical dependencies (
cryptography,urllib3) to outdated versions - Required maintaining an exception list of 10+ vulnerabilities
- Could not update vulnerable dependencies without breaking security tools
After:
- Security tools run in isolated pre-commit environments
- Production dependencies are free to update immediately when patches are released
- Zero vulnerabilities in production dependency tree
- Zero exceptions required in CI/CD pipeline
- Improved security posture and maintainability
This architectural change represents a significant improvement in our security monitoring capability while simultaneously reducing our vulnerability exposure.
5. CDN Artifact Handling & Integrity (January 2026)
Change: Updated automated CDN library refresh workflow to use npm pack as the canonical source for packaged JavaScript assets and to compute SRI from the package contents.
- Reason: Downloading files directly into the repository root from third-party CDNs caused temporary artifacts to remain after workflow runs (triggering security scanners such as CodeQL). Using
npm packensures the registry is the authoritative source and the artifact bytes are reproducible. - What changed: The
update-cdn-librariesGitHub Action now:- Runs
npm pack <pkg>@<version>in a temporary directory - Extracts the tarball, finds the minified asset, computes SHA-384 SRI from the file bytes, and atomically moves the asset into
checktick_app/static/js/ - Cleans up temporary files and directories using traps to avoid leaving files in the repository
- Runs
- Outcome: SRI values are computed from the exact npm package bytes; temporary files no longer appear in the repo root; CodeQL false-positives reduced.
Evidence: PR #155 updates the workflow and documentation to reflect this change and updates axe-core to 4.11.1 with the new SRI hash.