PatchRail

Security scan failures — CVE / GHSA / Severity HIGH

Log signatures

found 3 high severity vulnerabilities
CVE-2024-12345
GHSA-abcd-efgh-ijkl
RUSTSEC-2024-0001
Severity: CRITICAL

What’s happening

A scanner found a known vulnerability (advisory IDs: CVE-, GHSA-, RUSTSEC-) in a dependency, or a static analyzer (gosec, bandit, semgrep) flagged a code pattern. Two structurally different cases: dependency audits (npm audit, pip-audit, cargo audit, trivy, snyk) fail when a new advisory is published — your build can go red with zero changes on your side, on a Friday, reliably; code scanners flag patterns in code you actually changed. For dependency findings the key question is reachability: is the vulnerable function actually called in your usage? That determines urgency, though gated builds need the finding resolved either way.

Fix playbook

  1. 1Identify the advisory and the path to the vulnerable package (npm ls <pkg>, pip-audit output, cargo tree -i <crate>). Direct dependency → upgrade it. Transitive → upgrade the parent, or use an override/resolution to force the patched version.
  2. 2Check the advisory's "patched versions" field — the fix is often a patch-level bump away, the cheapest possible fix.
  3. 3No patch exists yet: assess reachability honestly. If unreachable or not applicable to your usage, record a scoped, expiring ignore (most scanners support ignore-with-expiry files) with the advisory ID and a review date — not a permanent silence.
  4. 4Code-scanner findings (bandit/gosec/semgrep): treat severity HIGH/CRITICAL as a bug report. False positive → suppress at the line with the rule ID and a reason.
  5. 5Rerun the same scanner at the same version before pushing.

Prevention

  • Run dependency audits on a schedule (daily) separate from PR CI, with alerts to a channel. New-advisory noise then lands on the schedule, not on whichever innocent PR happened to run first.

Triage every red build, not just this one.

This page is one of 31 failure classes the open-source patchrail CLI matches from a raw log — locally, with secrets redacted first. If a log stumps it, open an issue; if it saves you a debugging morning, a star helps other maintainers find it.

★ Star on GitHubpipx install patchrail