Closing the Loop on Dependency Security: Automated Vulnerability Scanning in CI
Closing the Loop on Dependency Security: Automated Vulnerability Scanning in CI
v1.0.332 | Compliance Update — ISO-07
When you build a platform that connects to HMRC on behalf of taxpayers, touches bank feeds, and processes payments, the security bar is not optional — it is a legal and ethical obligation. That is why we continuously audit our own engineering practices against ISO/IEC 27001, and today we are shipping a fix for a gap we found in our CI pipeline.
The Gap
Our application has over 30 npm dependencies. Several of them — bcryptjs, next-auth, @sentry/nextjs, stripe — are directly involved in authentication, credential storage, and payments. Before this release, there was no automated mechanism to detect when a vulnerability was disclosed in any of these packages. A CVE could be published, a new dependency version containing a silent regression could land, and our CI pipeline would have said nothing.
This is the class of risk that ISO/IEC 27001 control ISO-07 (Vulnerability Management) exists to address: vulnerabilities must be identified, evaluated, and remediated in a timely and systematic way — not discovered after the fact.
What We Shipped
Dependabot, enabled weekly. GitHub's Dependabot now scans our npm dependency tree every week against the GitHub Advisory Database. When a vulnerability is found, it opens a pull request with the fix automatically. No manual monitoring required.
npm audit in CI, fail on high. Every pull request now runs npm audit --audit-level=high. If any dependency in the tree carries a high or critical severity vulnerability, the build fails and the PR cannot be merged. This is a hard gate, not a warning.
Snyk on the roadmap. For deeper transitive dependency scanning and license compliance — areas where npm audit has known blind spots — we are evaluating the Snyk GitHub Action as a further layer.
Why This Matters for Our Users
The taxpayers and landlords using this platform entrust us with their HMRC credentials, bank connections, and financial records. Supply chain attacks via compromised npm packages are not theoretical — they are a documented, recurring attack vector. Automating vulnerability detection means we catch these issues at the point of code change, not after they have reached production.
What This Means for the Development Team
The day-to-day change is small: review and merge Dependabot PRs promptly each week, and fix any npm audit failures before merging a PR. The discipline is straightforward, but the compounding effect over time — a dependency tree that is continuously patched rather than one that drifts — is significant.
For a step-by-step guide on responding to audit failures and working with Dependabot, see the Automated Dependency Vulnerability Scanning documentation page.
This change is part of our ongoing ISO/IEC 27001 compliance programme. All compliance-related changes are tagged with their control reference in the changelog.