Arivu
improvement

Automated Security, Testing, and Code Quality

Dependabot, CodeQL, CI pipelines, frontend tests, and linting — Arivu now catches problems before they ship.

March 8, 2026
Security Testing CI/CD Code Quality

With the codebase now open source, we invested in the automation that keeps it healthy. This update adds continuous integration pipelines, automated dependency monitoring, static analysis, and a frontend test suite — the kind of infrastructure that catches problems before they reach you.

DEPENDABOT Automated dependency updates CODEQL Static security analysis CI PIPELINES Tests + linting on every PR PRE-COMMIT Secrets detection Format checks

Automated Dependency Security

Dependabot now monitors all four ecosystems in the project — Python (pip), JavaScript (npm), GitHub Actions, and Docker. When a dependency has a known vulnerability, Dependabot opens a pull request with the fix automatically.

Since enabling it, we’ve already resolved security vulnerabilities in DOMPurify (XSS), rollup, and esbuild, along with routine updates across both backend and frontend dependencies.

What this means for you: Known vulnerabilities get patched quickly, without waiting for a manual review cycle.

CodeQL and Static Analysis

GitHub’s CodeQL scanner now runs against the codebase, flagging potential security issues through static analysis. On the first scan, it identified 9 alerts — all resolved. Fixes included XSS prevention in the browser extension, removing weak hashing from test utilities, and sanitizing error details from API responses.

Every CI workflow now runs with least-privilege permissions, limiting what automated processes can access.

What this means for you: Security issues are caught by automated tooling, not just human review.

CI Pipelines and Frontend Tests

Every pull request and push to main now triggers two CI pipelines:

  • Test pipeline: Backend pytest with pip-audit for vulnerability scanning, frontend Vitest with build verification
  • Lint pipeline: Backend formatting (Black) and static analysis (Ruff with security and bug-detection rules), frontend ESLint with React hooks and accessibility checks

The frontend now has its own test suite — 10 tests covering authentication flows, login form behavior, error handling, and API configuration. Pre-commit hooks catch secrets, formatting issues, and lint violations before code even reaches the repository.

What this means for you: More confidence that updates don’t introduce regressions. The safety net is automated, not optional.

This is the kind of work that doesn’t change what Arivu looks like, but it changes how reliably it works. Every dependency is monitored, every change is tested, and every pull request runs through the same quality gates.