Automated Dependency Vulnerability Scanning (ISO-07)
Automated Dependency Vulnerability Scanning (ISO-07)
Overview
Starting with v1.0.332, the CI pipeline enforces automated vulnerability scanning for all npm dependencies. This change addresses ISO/IEC 27001 control ISO-07 (Vulnerability Management) and ensures that known security vulnerabilities in third-party packages cannot be silently introduced between releases.
The application manages over 30 npm dependencies, including security-sensitive packages:
| Package | Role |
|---|---|
bcryptjs | Password hashing |
next-auth | Authentication & OAuth |
@sentry/nextjs | Error monitoring |
stripe | Payment processing |
A single undetected vulnerability in any of these packages could expose user credentials, HMRC OAuth tokens, or payment data.
What Was Added
1. Dependabot Configuration (.github/dependabot.yml)
Dependabot is now configured to automatically open weekly pull requests for npm dependency security updates.
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
What this means:
- Every week, GitHub scans the dependency tree against the GitHub Advisory Database.
- If a vulnerability is found, Dependabot opens a PR with the patched version.
- Reviewers can merge, dismiss, or defer each update with a full audit trail.
2. npm audit Step in CI (ci.yml)
A npm audit --audit-level=high step has been added to the CI pipeline. Any pull request or push that introduces a high or critical severity vulnerability will now fail the build before it can be merged.
# Excerpt from .github/workflows/ci.yml
- name: Audit dependencies
run: npm audit --audit-level=high
Severity levels:
| Level | Build behaviour |
|---|---|
| Critical | ❌ Build fails |
| High | ❌ Build fails |
| Moderate | ⚠️ Warning only |
| Low | ✅ Passes |
3. Snyk Integration (Recommended)
For more comprehensive scanning — including transitive dependencies and license compliance — adding the Snyk GitHub Action is recommended. Snyk provides:
- Deeper transitive dependency analysis beyond
npm audit. - License compliance checks (important for commercial SaaS deployments).
- A centralised vulnerability dashboard with remediation guidance.
Developer Workflow
- Routine development — the
npm auditCI step runs automatically on every PR. No manual action is required unless the step fails. - Dependabot PRs — review and merge weekly Dependabot PRs promptly. Do not let them accumulate, as stale update PRs may represent unpatched vulnerabilities in production.
- Responding to a failed audit — if the
npm auditstep fails on your PR:- Run
npm auditlocally to see the full vulnerability report. - Run
npm audit fixto apply non-breaking patches automatically. - For breaking changes, manually upgrade the affected package and update any affected code.
- If a fix is not yet available upstream, open a security issue and apply a temporary
npm auditexception with a documented justification.
- Run
Compliance Reference
| Attribute | Value |
|---|---|
| Control | ISO-07 |
| Framework | ISO/IEC 27001 |
| Scope | All npm dependencies in the application |
| Enforcement | CI pipeline (ci.yml) + Dependabot (.github/dependabot.yml) |
| Review cadence | Weekly (Dependabot) + every PR (npm audit) |