Skip to content

[Task]: Add dependency and security checks to CI #54

Description

@rian-be

Summary

Add dependency and security checks to the CI pipeline for ModularityKit.Mutator.

Goal

Catch vulnerable, stale, or suspicious dependencies earlier by making security and package health checks part of the repository's normal validation flow.

Problem

The repository has multiple projects and package references across runtime, governance, Redis, examples, and tests. As that dependency surface grows, it becomes harder to notice when package is vulnerable, outdated, or out of policy unless someone remembers to run checks manually.

CI should provide consistent baseline signal for dependency health so the repo does not rely on ad hoc review alone. That also makes it easier to keep release artifacts and examples aligned with the same dependency expectations.

Scope

  • Add dependency vulnerability checks to CI
  • Add stale or outdated package checks where they make sense for the repo
  • Make the check output actionable so failing packages are easy to identify
  • Keep the checks compatible with the repository's current .NET solution layout
  • Ensure the checks can be run locally as well as in CI
  • Document the dependency check workflow and the expected remediation path
  • Keep the security checks separate from package signing and release automation

Design Expectations

  • Checks should be straightforward to interpret when they fail.
  • The workflow should favor direct tooling and existing .NET commands over custom scripts where possible.
  • The checks should cover the repository's package references without becoming full security platform.
  • Local contributors should be able to run the same checks before opening PR.
  • The workflow should avoid false confidence by making sure warnings are visible and not buried.

Suggested Checks

  • dotnet list package --vulnerable
  • dotnet list package --outdated
  • optional package restore audit or equivalent .NET native dependency validation
  • optional CI job annotations that point to the affected project

Acceptance Criteria

  • CI includes repeatable dependency and security validation step
  • The step reports vulnerable or outdated packages in way that is easy to act on
  • The validation can be run locally using repository documented commands
  • The workflow covers the solution's main package surfaces without requiring manual inspection
  • The implementation remains separate from release packaging and signing tasks

Non-Goals

  • This issue does not design full software supply chain platform
  • This issue does not change runtime behavior
  • This issue does not automatically upgrade dependencies
  • This issue does not bundle package signing or provenance generation into the same task

Notes

This issue is intended to make dependency hygiene normal part of repository maintenance rather than periodic manual audit.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ciCI/CD and repository automation changes

    Type

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions