Security Automation (Backend Standard)

This document defines the baseline security automation we expect for Python backends.

Status: recommended until reliable (once consistently wired into CI across projects, promote to required).

Tool baseline (standard)

• Dependabot: automated dependency update PRs (SCA workflow)
• pip-audit: dependency vulnerability scanning in CI (SCA)
• bandit: “SAST-lite” static analysis for common Python issues
• gitleaks: secrets scanning in CI

Repo requirements (recommended)

Dependabot

• Add .github/dependabot.yml.
• Configure:
  • package ecosystem (pip or pip-compile/poetry as applicable)
  • update schedule
  • grouping rules (to reduce PR noise)

pip-audit (CI)

• Run pip-audit in CI against the repo’s locked/pinned dependencies (use the repo’s declared dependency mechanism; don’t invent a second one).
• Policy:
  • fail the build on known vulnerabilities unless explicitly triaged at the project level
  • keep suppressions timeboxed and documented in the repo

bandit (CI)

• Run bandit in CI against source directories.
• Keep configuration in-repo (e.g., pyproject.toml or .bandit), and document any exclusions with rationale.

gitleaks (CI)

• Run gitleaks in CI on PRs and on default-branch merges.
• Treat findings as high priority:
  • rotate/revoke secrets immediately if a real secret is found
  • purge leaked secrets from history where appropriate

Standard guidance for AI agents

Agents should:

• keep these checks recommended unless the repo already enforces them as required
• never disable security checks “just to make CI green”
• escalate to the project lead if a new suppression/exclusion is needed