72 lines
2.4 KiB
Markdown
72 lines
2.4 KiB
Markdown
# 20. Dependency Vulnerability Scanning
|
|
|
|
meta:
|
|
id: web-production-20
|
|
feature: web-production
|
|
priority: P1
|
|
depends_on: []
|
|
tags: [security, dependencies, production]
|
|
|
|
objective:
|
|
- Implement continuous dependency vulnerability scanning and automated updates
|
|
|
|
deliverables:
|
|
- npm audit integration in CI
|
|
- Snyk or Dependabot monitoring
|
|
- Automated security patch PRs
|
|
- SBOM (Software Bill of Materials) generation
|
|
|
|
steps:
|
|
1. Set up automated scanning:
|
|
- Enable Dependabot alerts in GitHub repository settings
|
|
- Configure Dependabot version updates (weekly)
|
|
- Add Snyk integration for deeper analysis
|
|
- Configure Snyk to fail builds on high+ severity
|
|
2. Add CI scanning:
|
|
- `pnpm audit --audit-level=high` in GitHub Actions
|
|
- `snyk test` in CI pipeline
|
|
- Block PR merge on high/critical vulnerabilities
|
|
3. Implement automated patching:
|
|
- Dependabot auto-PR for patch updates
|
|
- Snyk auto-fix PRs for fixable vulnerabilities
|
|
- Manual review required for major version updates
|
|
4. Generate SBOM:
|
|
- Use cyclonedx or spdx-sbom-generator
|
|
- Generate on every release
|
|
- Store with release artifacts
|
|
5. Audit current dependencies:
|
|
- Run `pnpm audit` and fix all high/critical issues
|
|
- Check for unmaintained packages
|
|
- Review direct dependencies for necessity
|
|
- Remove unused dependencies
|
|
6. Set up alerting:
|
|
- Slack notification for new vulnerabilities
|
|
- Weekly vulnerability report
|
|
- Emergency alert for critical CVEs
|
|
|
|
tests:
|
|
- Security: Introduce vulnerable package → CI blocks merge
|
|
- Integration: Verify Dependabot creates PR for outdated package
|
|
- Audit: SBOM generated and contains all dependencies
|
|
|
|
acceptance_criteria:
|
|
- Zero high or critical vulnerabilities in dependencies
|
|
- Dependabot monitoring all dependencies
|
|
- CI fails on high+ severity vulnerabilities
|
|
- SBOM generated for every release
|
|
- Automated PRs for security patches within 24 hours
|
|
- Weekly dependency update report
|
|
- All unused dependencies removed
|
|
|
|
validation:
|
|
- `pnpm audit` → 0 high/critical findings
|
|
- Check GitHub Security tab → no open alerts
|
|
- Merge PR with vulnerable package → CI fails
|
|
- Create release → SBOM artifact attached
|
|
|
|
notes:
|
|
- Some vulnerabilities may be in devDependencies — these are lower priority
|
|
- Focus on production dependencies first
|
|
- Consider using pnpm overrides for emergency patches
|
|
- Review major version updates carefully for breaking changes
|