Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/tasks/web-production/20-dependency-scanning.md
Michael Freno 5214412fff get to prod tasks
2026-05-26 16:06:34 -04:00

2.4 KiB
Raw Permalink Blame History

20. Dependency Vulnerability Scanning

meta: id: web-production-20 feature: web-production priority: P1 depends_on: [] tags: [security, dependencies, production]

objective:

  • Implement continuous dependency vulnerability scanning and automated updates

deliverables:

  • npm audit integration in CI
  • Snyk or Dependabot monitoring
  • Automated security patch PRs
  • SBOM (Software Bill of Materials) generation

steps:

  1. Set up automated scanning:
    • Enable Dependabot alerts in GitHub repository settings
    • Configure Dependabot version updates (weekly)
    • Add Snyk integration for deeper analysis
    • Configure Snyk to fail builds on high+ severity
  2. Add CI scanning:
    • pnpm audit --audit-level=high in GitHub Actions
    • snyk test in CI pipeline
    • Block PR merge on high/critical vulnerabilities
  3. Implement automated patching:
    • Dependabot auto-PR for patch updates
    • Snyk auto-fix PRs for fixable vulnerabilities
    • Manual review required for major version updates
  4. Generate SBOM:
    • Use cyclonedx or spdx-sbom-generator
    • Generate on every release
    • Store with release artifacts
  5. Audit current dependencies:
    • Run pnpm audit and fix all high/critical issues
    • Check for unmaintained packages
    • Review direct dependencies for necessity
    • Remove unused dependencies
  6. Set up alerting:
    • Slack notification for new vulnerabilities
    • Weekly vulnerability report
    • Emergency alert for critical CVEs

tests:

  • Security: Introduce vulnerable package → CI blocks merge
  • Integration: Verify Dependabot creates PR for outdated package
  • Audit: SBOM generated and contains all dependencies

acceptance_criteria:

  • Zero high or critical vulnerabilities in dependencies
  • Dependabot monitoring all dependencies
  • CI fails on high+ severity vulnerabilities
  • SBOM generated for every release
  • Automated PRs for security patches within 24 hours
  • Weekly dependency update report
  • All unused dependencies removed

validation:

  • pnpm audit → 0 high/critical findings
  • Check GitHub Security tab → no open alerts
  • Merge PR with vulnerable package → CI fails
  • Create release → SBOM artifact attached

notes:

  • Some vulnerabilities may be in devDependencies — these are lower priority
  • Focus on production dependencies first
  • Consider using pnpm overrides for emergency patches
  • Review major version updates carefully for breaking changes
Reference in New Issue View Git Blame Copy Permalink