ci(workflows): add dependency vulnerability scanning

[sonukapoor]

What is the current behavior?

No dependency vulnerability scanning in CI. VoltAgent ships 1,611 packages across its pnpm lockfile with no automated check - a PR can introduce a high or critical severity vulnerability without any gate catching it.

What is the new behavior?

Adds a dependency vulnerability scan on every push to main and every pull request using CVE Lite CLI, an OWASP Lab Project. The workflow fails on high or critical severity findings.

I scanned the current lockfile before opening this PR - the codebase is clean. The workflow adds a forward-looking gate so it stays that way.

• Scans the pnpm lockfile locally against the OSV vulnerability database
• No code leaves the repo, no account or API key required
• Completes in seconds against a cached advisory database
• Matches your existing workflow conventions (concurrency groups, draft skip, pnpm setup)

Notes for reviewers

I'm the creator of CVE Lite CLI and an OWASP contributor. Happy to answer any questions about the tool or adjust the configuration (e.g. severity threshold, SARIF output for GitHub Code Scanning).

---

Summary by cubic

Add CI dependency vulnerability scanning using OWASP/cve-lite-cli to block high-severity issues on pushes to main and on PRs by scanning lockfiles against OSV.

• New Features
  • Triggers on push to main and PR events (opened, synchronize, reopened, ready_for_review); skips draft PRs and cancels in-progress via concurrency.
  • Uses OWASP/cve-lite-cli@v1 with fail-on: high and verbose: true; no API keys needed.
  • Checks out with actions/checkout@v4 using persist-credentials: false.

^{Written for commit d8a8753. Summary will update on new commits.}

Summary by CodeRabbit

• Chores
  • Added a “Dependency Vulnerability Scan” to the CI workflow, running on pushes to the main branch and on pull request activity (opened, synchronized, reopened, ready for review).
  • The scan skips draft pull requests, runs on Linux, flags high-severity issues, and fails the check to help prevent insecure changes from being merged.

[changeset-bot]

⚠️ No Changeset found

Latest commit: d8a8753

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 37eb2511-3216-4dae-bb21-ae93213d83bc

📥 Commits

Reviewing files that changed from the base of the PR and between c8cffa2 and d8a8753.

📒 Files selected for processing (1)

• .github/workflows/cve-lite.yml

---

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file .github/workflows/cve-lite.yml is added. It triggers on pushes to main and on pull request events, skips draft PRs, cancels in-progress runs per github.ref, and runs OWASP/cve-lite-cli@v1 to fail on high-severity vulnerability findings.

Changes

Dependency Vulnerability Scan CI Workflow

Layer / File(s)	Summary
CVE scan workflow definition .github/workflows/cve-lite.yml	New workflow that triggers on main pushes and PR activity (opened, synchronize, reopened, ready_for_review), skips drafts, enforces per-ref concurrency cancellation with auto-cancel, checks out with persist-credentials: false, and executes OWASP/cve-lite-cli@v1 with fail-on: high and verbose: true to block on high-severity CVE findings.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hippity-hop, I sniff each dep,
A CVE scan on every step!
High severities? We shall not pass!
The checks are fast, the workflow's brash.
No drafts allowed—only the real,
This bunny keeps your builds on keel! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding dependency vulnerability scanning to CI workflows, accurately reflecting the new workflow file's purpose.
Description check	✅ Passed	The description comprehensively covers current behavior, new behavior, and implementation details; however, it does not follow the provided template structure with required checklist items and sections.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

.github/workflows/cve-lite.yml (2)

27-27: ⚡ Quick win

Consider pinning cve-lite-cli to a specific version for build stability.

Using @latest ensures the newest vulnerability database and scanner features, but could introduce breaking changes or unexpected behavior between CI runs. Consider pinning to a specific version and updating periodically.

📌 Example: Pin to a specific version

-        run: npx cve-lite-cli@latest . --fail-on high
+        run: npx cve-lite-cli@1.2.3 . --fail-on high

Note: Since you're the tool's author, you may prefer @latest to always use the newest vulnerability data. This suggestion is for build predictability—adjust based on your stability vs. freshness preference.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cve-lite.yml at line 27, The npx command in the
cve-lite-cli step uses `@latest` which can introduce breaking changes and
inconsistent behavior across CI runs. Replace `@latest` with a specific version
number (e.g., `@1.0.0` or whatever the current stable version is) in the run
command that executes npx cve-lite-cli@latest . --fail-on high. This ensures
consistent and predictable builds while allowing for controlled updates by
changing the version pin periodically.

---

18-20: Consider pinning actions to commit hashes for stronger supply chain security.

The workflow uses semantic version tags (@v4) for actions. While this approach is consistent with your project's current practice across all workflows, pinning to commit hashes prevents supply chain attacks where action maintainers could modify tagged versions. This is an optional security hardening step if stricter protections are desired:

Suggested hash pinning

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4
- uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d  # v4  
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8  # v4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cve-lite.yml around lines 18 - 20, Replace the semantic
version tags (`@v4`) with specific commit hashes for the three GitHub Actions:
actions/checkout, pnpm/action-setup, and actions/setup-node. For each action,
replace the `@v4` reference with its corresponding commit hash (as provided in the
suggested hash pinning section) and include a comment indicating which version
it corresponds to (e.g., # v4). This change strengthens supply chain security by
preventing potential malicious modifications to tagged versions.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cve-lite.yml:
- Line 18: The actions/checkout@v4 action currently uses default behavior which
persists GitHub credentials in the workspace, creating a potential security
risk. Add the `persist-credentials: false` option to the checkout action step to
explicitly disable credential persistence, since this workflow only needs to
perform dependency scanning and does not require git credentials for any
subsequent operations.

---

Nitpick comments:
In @.github/workflows/cve-lite.yml:
- Line 27: The npx command in the cve-lite-cli step uses `@latest` which can
introduce breaking changes and inconsistent behavior across CI runs. Replace
`@latest` with a specific version number (e.g., `@1.0.0` or whatever the current
stable version is) in the run command that executes npx cve-lite-cli@latest .
--fail-on high. This ensures consistent and predictable builds while allowing
for controlled updates by changing the version pin periodically.
- Around line 18-20: Replace the semantic version tags (`@v4`) with specific
commit hashes for the three GitHub Actions: actions/checkout, pnpm/action-setup,
and actions/setup-node. For each action, replace the `@v4` reference with its
corresponding commit hash (as provided in the suggested hash pinning section)
and include a comment indicating which version it corresponds to (e.g., # v4).
This change strengthens supply chain security by preventing potential malicious
modifications to tagged versions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7dfe8776-b8ce-4a49-9f4d-d1af1912ef23

📥 Commits

Reviewing files that changed from the base of the PR and between 1e1af65 and 650d3fe.

📒 Files selected for processing (1)

• .github/workflows/cve-lite.yml

[cubic-dev-ai]

3 issues found across 1 file

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cve-lite.yml:
- Line 21: The `actions/setup-node@v4` action uses a mutable tag reference
instead of an immutable commit SHA, which introduces supply-chain security
risks. Replace the tag reference `@v4` with the full commit SHA for the v4
release of the actions/setup-node action to ensure the workflow always uses the
exact same version and prevent any unexpected changes from upstream updates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4380546b-6ea9-45d2-b8e5-630a84a89d02

📥 Commits

Reviewing files that changed from the base of the PR and between 650d3fe and 946d720.

📒 Files selected for processing (1)

• .github/workflows/cve-lite.yml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/cve-lite.yml (1)

21-21: ⚠️ Potential issue | 🟠 Major

Pin actions/setup-node to a commit SHA.

actions/setup-node@v4 uses a tag reference rather than an immutable commit SHA, which creates a supply-chain risk. Replace with the verified commit SHA:

-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/cve-lite.yml at line 21, The `actions/setup-node@v4`
action reference uses a mutable tag which creates a supply-chain risk. Replace
the tag reference `@v4` with the verified immutable commit SHA that corresponds
to the intended version of the action. This ensures that the exact version of
the action is always used and prevents unexpected changes if the tag is updated.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/cve-lite.yml:
- Line 21: The `actions/setup-node@v4` action reference uses a mutable tag which
creates a supply-chain risk. Replace the tag reference `@v4` with the verified
immutable commit SHA that corresponds to the intended version of the action.
This ensures that the exact version of the action is always used and prevents
unexpected changes if the tag is updated.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 577dc966-13da-49ec-8e7f-ffd8b27d5f9d

📥 Commits

Reviewing files that changed from the base of the PR and between 946d720 and b7d4387.

📒 Files selected for processing (1)

• .github/workflows/cve-lite.yml