Why Automated Dependency Scanning Matters for Sanctions Screening Platforms
Why Automated Dependency Scanning Matters for Sanctions Screening Platforms
Release context: v0.1.15 · Control DEP-04 · Category: Dependency Security
The Problem
As of v0.1.15, an internal security audit (control DEP-04) identified that the platform repository has no automated dependency update scanning in place. There is no .github/dependabot.yml and no renovate.json configuration.
This means:
- No automatic PRs are raised when a dependency falls behind or is flagged with a CVE.
- No GitHub Security Advisory alerts are generated for vulnerable packages.
- Vulnerability discovery relies entirely on manual audits, which are infrequent by nature.
Why This Is High-Risk for a Compliance Platform
The platform screens individuals and entities against the OFSI consolidated sanctions list. It is used by UK compliance teams operating under regulatory obligations. Any breach, data exposure, or service compromise caused by an unpatched dependency could:
- Result in regulatory findings under FCA or OFSI oversight.
- Undermine the integrity of screening results relied upon for compliance decisions.
- Expose end-users' personal and entity data if a vulnerable package is exploited.
Timely patching of known CVEs is a baseline control expected by frameworks such as SOC 2, ISO 27001, Cyber Essentials, and NCSC guidance.
The Fix: Adding Dependabot
The recommended remediation is to add a GitHub Dependabot configuration file. This is a low-effort, high-value control.
Step 1 — Create the configuration file
Create .github/dependabot.yml in the root of the repository:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
Step 2 — Commit and push to main
Once merged to the default branch, GitHub will automatically begin scanning on the configured weekly schedule.
Step 3 — Review and merge dependency PRs
Dependabot will open pull requests for:
- Patch updates — bug fixes and security patches (lowest risk, merge freely).
- Minor updates — backwards-compatible feature additions (review changelog).
- Major updates — potentially breaking changes (review and test carefully).
Configuration Options
The minimum configuration above targets npm in the repository root on a weekly schedule. You can extend it as needed:
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 10
labels:
- dependencies
- security
ignore:
# Example: ignore a specific package's major bumps
- dependency-name: some-large-package
update-types:
- version-update:semver-major
| Option | Default | Notes |
|---|---|---|
package-ecosystem | — | Set to npm for Node.js projects |
directory | — | / targets the root package.json |
schedule.interval | — | daily, weekly, or monthly |
open-pull-requests-limit | 5 | Increase if you have many stale deps |
labels | — | Add labels to auto-tag Dependabot PRs |
GitHub Security Advisories
In addition to version bumps, Dependabot will also raise security update PRs immediately when a package in your dependency tree is listed in the GitHub Advisory Database — independent of the weekly schedule. These are created as soon as an advisory is published and a patch is available.
This means critical CVEs in direct or transitive dependencies will be surfaced within hours, not weeks.
Acceptance Criteria for DEP-04
Control DEP-04 is considered remediated when:
-
.github/dependabot.ymlexists in the repository root on themainbranch. -
package-ecosystemis set tonpm. -
directoryis set to/. -
schedule.intervalis set toweeklyor more frequent. - At least one Dependabot PR has been successfully opened and merged.
Related Controls
- DEP-04 — Automated dependency update scanning (this control)
- See the Changelog for a full history of security control findings and remediations.