Add workflow to perform vulns scan for pull requests

[kuan121]

High Level Overview of Change

1. Security vulnerability scanning in CI: Add a new GitHub Actions workflow (vulnerability_scan.yml) that scans project dependencies for security vulnerabilities during CI. The workflow:
   • Generates a CycloneDX SBOM from Poetry dependencies
   • Scans the SBOM using Trivy for CRITICAL and HIGH severity vulnerabilities
   • Fails the CI if any vulnerabilities are found
   • Prints the vulnerability report to the CI log to provide developers with visibility and enable them to address any identified vulnerabilities.
2. Upgrade urllib3 to >= 2.6.3 to fix security vulnerabilities
3. Drop Python 3.8 support: Python 3.8 reached end-of-life in October 2024. The minimum supported Python version is now 3.9. This was required to use urllib3 >= 2.6.0 which only supports Python 3.9+.

Context of Change

The release pipeline (release.yml) already includes vulnerability scanning, but it only runs during the release process. This change shifts security scanning left by running it on every PR and push to main, allowing developers to catch and fix vulnerabilities earlier in the development cycle. This also catches newly disclosed vulnerabilities in existing dependencies.

The workflow includes cost optimizations:

• Concurrency groups: cancels in-progress runs when new commits are pushed
• Skips draft PRs
• Caches Poetry installation and dependencies

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Refactor (non-breaking change that only restructures code)
• Tests (You added tests for code that already exists, or your new feature included in this PR)
• Documentation Updates
• Release

Did you update CHANGELOG.md?

• Yes
• No, this change does not impact library users

Test Plan

1. Create a PR and verify the vulnerability scan workflow runs
2. Verify the workflow fails if a dependency with known CRITICAL/HIGH vulnerabilities is added
3. Verify the vulnerability report is printed in table format in the CI logs
4. Create a draft PR and verify the workflow is skipped
5. Verify CI passes on Python 3.9, 3.10, 3.11, 3.12, 3.13, and 3.14

[coderabbitai]

Caution

Review failed

Failed to post review comments

Walkthrough

Adds a new GitHub Actions workflow that generates a CycloneDX SBOM from Poetry-managed dependencies and scans it with Trivy (failing on HIGH/CRITICAL). Also bumps minimum Python to 3.9 across CI, updates pyproject and docs, and records these changes in CHANGELOG.

Changes

Cohort / File(s)	Summary
New security workflow .github/workflows/vulnerability_scan.yml	Introduces a workflow that sets up Python 3.9 and Poetry, generates sbom.json via cyclonedx-py poetry, and scans it with Trivy; fails on HIGH/CRITICAL; includes caching and concurrency control; triggers on push/PR/dispatch.
CI workflow Python version updates .github/workflows/faucet_test.yml, .github/workflows/integration_test.yml, .github/workflows/unit_test.yml, .github/workflows/release.yml	Removed Python 3.8 from matrices and updated steps to use Python 3.9; bumped CycloneDX BOM version in release workflow to match vulnerability workflow.
Project metadata pyproject.toml	Raised required Python to >=3.9, tightened tool.poetry.dependencies python constraint to ">=3.9,<4.0", added dev dependency urllib3 >=2.6.3, and simplified/updated pydoclint constraint.
Documentation & changelog README.md, docs/index.rst, CHANGELOG.md	Updated docs and README to state minimum Python 3.9; CHANGELOG notes dropping Python 3.8 and requiring urllib3 >=2.6.3.

Sequence Diagram(s)

sequenceDiagram
    participant GH as "GitHub Actions Runner"
    participant Repo as "Repository (checkout)"
    participant Py as "Setup Python 3.9 & Poetry"
    participant Poetry as "Poetry (install deps)"
    participant Cyclone as "cyclonedx-bom (cyclonedx-py)"
    participant Trivy as "Trivy Scanner"
    participant Result as "Job Result"

    Note over GH: workflow triggered (push/PR/dispatch)
    GH->>Repo: checkout code
    Repo->>Py: setup Python 3.9, ensure Poetry on PATH
    Py->>Poetry: install project dependencies (poetry install)
    Poetry->>Cyclone: run `cyclonedx-py poetry` -> generate `sbom.json`
    Cyclone->>Trivy: provide `sbom.json` for scanning
    Trivy->>Result: return findings (fail on HIGH/CRITICAL)
    Result->>GH: mark workflow success/failure

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Release pipeline #876: Related SBOM generation and Trivy scanning steps in a workflow; overlaps on CycloneDX/Trivy integration.
• chore: bump Github Actions versions, add Python 3.13 tests #753: Related changes to CI workflow Python version matrices and workflow configuration.

Suggested reviewers

• pdp2121
• achowdhry-ripple
• mvadari
• ckeshava
• Patel-Raj11

Poem

🐇 I hopped through deps beneath the moon,

I counted packages very soon.
I wrote an SBOM crisp and bright,
Trivy sniffed bugs through the night.
Hooray — no HIGH nor CRITICAL in sight!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a vulnerability scan workflow for pull requests, which is the primary feature introduced in this PR.
Description check	✅ Passed	The PR description comprehensively covers all required template sections: High Level Overview, Context, Type of Change (with selection), CHANGELOG status, and Test Plan with concrete verification steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch perform-vulnerability-scan-for-pull-request

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/vulnerability_scan.yml:
- Line 22: The workflow pins the cyclonedx-bom version via CYCLONEDX_BOM_VERSION
set to 7.2.0; update that variable to 7.2.2 to pick up the latest patch releases
(7.2.1/7.2.2), commit the change in the workflow file, then run CI to ensure the
updated bom generation step (referenced by CYCLONEDX_BOM_VERSION) works with the
new patch version.
- Around line 34-37: The Checkout step using actions/checkout@v4 contains a
no-op ref override that checks inputs.git_ref (which is not declared) so the
expression is always false; either remove the entire with: ref: ... block from
the "Checkout code" step to let actions/checkout use its default github.ref, or
declare a workflow_dispatch input named git_ref and then keep the conditional
expression — update the workflow_dispatch inputs to include git_ref (and its
default/description) so the inputs.git_ref reference is valid when used by the
actions/checkout@v4 step.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d91fa4b and 75b9689.

📒 Files selected for processing (1)

• .github/workflows/vulnerability_scan.yml

[Patel-Raj11]

Since urllib3 is a transitive dependency, did we try upgrading the root dependency to see if poetry.lock gets the urllib3 = ">=2.6.3"? Or was it giving more than expected number errors and you had to pin it in pyproject.toml?

[mvadari]

Can we deprecate Python 3.8 support in a separate PR? Otherwise it'll be a bit buried and hard to find later.

[kuan121]

Close as we’ve decided not to run Trivy scans on every PR.