How a two-layer CVE scanning setup catches vulnerabilities CI pipelines routinely miss

·1 views

A software team using GitHub Actions discovered that a single dependency scanner was insufficient because vulnerabilities exist in two distinct layers: application dependencies and the OS packages bundled inside base Docker images. Tools like pip-audit and pnpm audit cover the first layer by checking requirements.txt and package-lock files against advisory databases, while Trivy is needed to scan base images such as python:3.12-slim for OS-level libraries like openssl and glibc. A key pitfall identified is that Docker's build cache can silently reuse old apt-get upgrade layers, meaning OS patches never actually get applied even when a rebuild appears to succeed. The team configured dependency scans to block deployments on HIGH or CRITICAL runtime findings, while a separate weekly Trivy cron job flags only CRITICAL and fixed OS vulnerabilities to reduce noise. Separating dev dependencies from runtime ones and using explicit, justified ignore rules were highlighted as deliberate choices to keep the pipeline signal meaningful rather than cluttered with false positives.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Solo developer builds open-source sports analytics SaaS to replace coaches' clipboards

Jonas, a developer with a CS and Entrepreneurship background, is publicly documenting the solo development of SportsFlow, a sports analytics platform aimed at amateur coaches. The app allows coaches to live-track shots, assists, and saves during handball games on a phone or tablet, generating season-level analytics such as heatmaps and shooting percentages. Jonas identified the problem firsthand from his time on the bench, noting that in-game data is routinely lost once the final whistle blows. The platform is being built offline-first to handle poor connectivity in sports halls, with plans to expand beyond handball to volleyball, basketball, and ice hockey. Jonas intends to publish biweekly build-in-public updates covering both technical decisions and honest business trade-offs.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

NPM Safety Guard offers 23-layer supply chain protection for JS developers

NPM Safety Guard is a free, open-source developer tool built by SendWaveHub that provides 23 layers of security scanning for npm projects. It detects threats that standard npm audit misses, including known malicious packages, typosquatting, dependency confusion, exposed secrets, and AI credential theft hidden in node_modules. The tool integrates with both VS Code and JetBrains IDEs and is available on their respective marketplaces. It leverages multiple intelligence sources such as OSSF Scorecard, Socket.dev, and ReversingLabs to assess supply chain risk in real time. Released under the MIT license, the project is also hosted on GitHub where developers can review its source code and contribute.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

AI Security Gate: A Proposed Architecture to Safeguard AI-Generated Code

A software engineer has proposed an architectural concept called the AI Security Gate, designed to enforce deterministic security controls on artifacts produced by AI agents in modern development workflows. As AI systems increasingly generate code, infrastructure configs, and CI/CD scripts autonomously, the author argues that human-dependent security checkpoints no longer scale reliably. Unlike AI code reviewers that reason probabilistically, the proposed gate applies fixed, rule-based checks — such as detecting exposed secrets or policy violations — consistently and without exception. The gate is envisioned as a distinct architectural layer, separate from quality review, positioned before any AI-generated artifact is accepted into a repository or deployment pipeline. The concept draws on existing tools like secret scanners and IaC validators, framing them collectively as implementations of a single, mandatory security role.

0 comments Read more at DEV Community

ProgrammingDEV Community ·

ClickHouse 2026 Guide: When to Denormalize vs. Join in Analytical Workloads

A new technical guide from DEV Community outlines a decision framework for choosing between denormalization and normalization in ClickHouse analytical data modeling. Denormalization has long been the default for latency-sensitive analytics because pre-joining data at ingestion delivers faster reads for known access patterns. However, advances in columnar database join algorithms — including parallel hash joins, bloom filters, and dictionary-based direct joins — have made runtime joins viable for many modern workloads. While denormalization still offers superior raw read performance, normalization provides operational advantages such as simpler pipelines, flexible schemas, and easier data governance. The guide recommends engineers evaluate their specific workload characteristics — including concurrency, freshness requirements, and pipeline complexity — rather than defaulting to either approach.

0 comments Read more at DEV Community