# 20. Dependency Vulnerability Scanning

meta:
  id: web-production-20
  feature: web-production
  priority: P1
  depends_on: []
  tags: [security, dependencies, production]

objective:
- Implement continuous dependency vulnerability scanning and automated updates

deliverables:
- npm audit integration in CI
- Snyk or Dependabot monitoring
- Automated security patch PRs
- SBOM (Software Bill of Materials) generation

steps:
1. Set up automated scanning:
   - Enable Dependabot alerts in GitHub repository settings
   - Configure Dependabot version updates (weekly)
   - Add Snyk integration for deeper analysis
   - Configure Snyk to fail builds on high+ severity
2. Add CI scanning:
   - `pnpm audit --audit-level=high` in GitHub Actions
   - `snyk test` in CI pipeline
   - Block PR merge on high/critical vulnerabilities
3. Implement automated patching:
   - Dependabot auto-PR for patch updates
   - Snyk auto-fix PRs for fixable vulnerabilities
   - Manual review required for major version updates
4. Generate SBOM:
   - Use cyclonedx or spdx-sbom-generator
   - Generate on every release
   - Store with release artifacts
5. Audit current dependencies:
   - Run `pnpm audit` and fix all high/critical issues
   - Check for unmaintained packages
   - Review direct dependencies for necessity
   - Remove unused dependencies
6. Set up alerting:
   - Slack notification for new vulnerabilities
   - Weekly vulnerability report
   - Emergency alert for critical CVEs

tests:
- Security: Introduce vulnerable package → CI blocks merge
- Integration: Verify Dependabot creates PR for outdated package
- Audit: SBOM generated and contains all dependencies

acceptance_criteria:
- Zero high or critical vulnerabilities in dependencies
- Dependabot monitoring all dependencies
- CI fails on high+ severity vulnerabilities
- SBOM generated for every release
- Automated PRs for security patches within 24 hours
- Weekly dependency update report
- All unused dependencies removed

validation:
- `pnpm audit` → 0 high/critical findings
- Check GitHub Security tab → no open alerts
- Merge PR with vulnerable package → CI fails
- Create release → SBOM artifact attached

notes:
- Some vulnerabilities may be in devDependencies — these are lower priority
- Focus on production dependencies first
- Consider using pnpm overrides for emergency patches
- Review major version updates carefully for breaking changes