Automated Vulnerability Scanning
Automated Vulnerability Scanning
As part of ISO-27001 control ISO-07 (Vulnerability Management), the CI pipeline now automatically scans dependencies for known CVEs and licence issues on every push and pull request.
Two complementary mechanisms are in place:
- Dependabot — continuous weekly background scanning that opens automated fix PRs.
- CI workflow steps — per-PR scanning that reports findings inline and (eventually) blocks merging.
Dependabot Configuration
Dependabot is configured in .github/dependabot.yml and monitors two ecosystems:
npm (Node.js dependencies)
| Setting | Value |
|---|---|
| Schedule | Every Monday at 06:00 Europe/London |
| Max open PRs | 10 |
| Patch updates | Grouped into a single PR |
| Security advisories | Always individual PRs |
| Labels | dependencies, security |
| Commit prefix | fix(deps) |
Major-version bumps are excluded for the following packages — these require a manual upgrade cycle with full test coverage:
nextreact/react-domnext-authdrizzle-orm@trpc/*
GitHub Actions
| Setting | Value |
|---|---|
| Schedule | Every Monday at 06:00 Europe/London |
| Max open PRs | 5 |
| Labels | dependencies, ci |
| Commit prefix | fix(ci) |
CI Workflow Steps
Audit dependencies step (all pushes and PRs)
Runs in the build job on every push and pull request:
- name: Audit dependencies (report HIGH/CRITICAL CVEs)
run: npm audit --audit-level=high --omit=dev
continue-on-error: true
- Scans only production dependencies (
--omit=dev). - Reports HIGH and CRITICAL CVEs to the step log — visible on every PR.
continue-on-error: trueis set temporarily while the pre-existing CVE backlog (in transitive dependencies) is being resolved by Dependabot. Once cleared, this flag should be removed to enforce a hard merge gate.
dependency-review job (pull requests only)
Runs as a separate job on pull request events only:
dependency-review:
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
permissions:
contents: read
pull-requests: write
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, BlueOak-1.0.0, CC0-1.0, Unlicense
- Diffs the dependency graph between the PR's base and head commits.
- Blocks merging (
fail-on-severity: high) if the PR introduces any new package with a HIGH or CRITICAL CVE. - Validates licences — all packages added by a PR must use one of the approved permissive licences listed above.
- Posts a summary comment to the PR via the GitHub Dependency Review API.
continue-on-error: trueis set temporarily, consistent with the audit step posture.
Current Enforcement Posture
| Mechanism | Status |
|---|---|
npm audit | ⚠️ Reporting only — continue-on-error: true |
dependency-review | ⚠️ Reporting only — continue-on-error: true |
| Dependabot PRs | ✅ Active — opens fix PRs weekly |
Promoting to Hard Gates
Once Dependabot has resolved all existing HIGH/CRITICAL findings in the production dependency tree:
- Open a PR removing
continue-on-error: truefrom theAudit dependenciesstep in.github/workflows/ci.yml. - Open a PR removing
continue-on-error: truefrom thedependency-reviewjob in.github/workflows/ci.yml.
After both changes are merged, any PR that introduces a new HIGH/CRITICAL CVE or a non-approved licence will be hard-blocked from merging.
Allowed Licences
The following licences are approved for production dependencies:
- MIT
- Apache-2.0
- BSD-2-Clause
- BSD-3-Clause
- ISC
- 0BSD
- BlueOak-1.0.0
- CC0-1.0
- Unlicense
Any PR introducing a package under a different licence will be flagged by the dependency-review job.