Appearance
Dependency Audit
Audit Process
All Gatez services are audited for known vulnerabilities as part of the pre-merge gate. This runs automatically before any merge to main.
Rust Services (L2, L3, Control Plane API)
bash
# Install cargo-audit (one-time)
cargo install cargo-audit
# Run audit for each service
cd layers/ai-gateway && cargo audit
cd layers/agent-gateway && cargo audit
cd layers/control-plane-api && cargo auditNode.js (Control Plane UI)
bash
cd layers/control-plane && npm audit --omit=dev --audit-level=highCurrent Status
| Service | Tool | Last Audit | Result | Notes |
|---|---|---|---|---|
| AI Gateway (L2) | cargo audit | 2026-03-28 | Baseline | Initial audit with enterprise readiness |
| Agent Gateway (L3) | cargo audit | 2026-03-28 | Baseline | Initial audit with enterprise readiness |
| Control Plane API | cargo audit | 2026-03-28 | Baseline | Initial audit with enterprise readiness |
| Control Plane UI | npm audit | 2026-03-28 | Baseline | Initial audit with enterprise readiness |
Advisory Suppression Policy
If a vulnerability cannot be fixed immediately (e.g., no patch available, only in dev dependency):
- Document the advisory ID, affected package, and severity in this file
- Add justification for why it's acceptable (e.g., dev-only, not reachable in our code path)
- Set a review date (max 90 days)
- Track in a GitHub issue
Suppressed Advisories
None currently suppressed.
Automated Enforcement
The pre-merge gate (scripts/pre-merge-gate.sh, section 7) runs both cargo audit and npm audit automatically. High and critical vulnerabilities block the merge.