Automated Dependency Vulnerability Scanning in CI
Automated Dependency Vulnerability Scanning in CI
Release: v1.0.411 · Security Control: SEC-25 · Category: Dependency Security
Overview
As of v1.0.411, the CI pipeline automatically scans all application dependencies for known vulnerabilities on every build and pull request. Any dependency carrying a high or critical severity CVE will fail the build, preventing vulnerable code from being merged or deployed.
This is a mandatory security control for a financial platform handling HMRC OAuth credentials, payment data via Stripe, and personally identifiable taxpayer information.
How It Works
1. npm audit Build Gate
A dedicated step in .github/workflows/ci.yml runs:
npm audit --audit-level=high
This command exits with a non-zero status code if any installed dependency has a vulnerability rated high or critical, causing the CI job to fail and blocking merge.
- Low and moderate vulnerabilities are reported but do not block the build.
- High and critical vulnerabilities fail the build immediately.
2. Structured JSON Audit Output
The workflow also runs npm audit --json to produce a machine-readable vulnerability report. This output can be consumed by audit-ci or similar tooling to:
- Allow specific CVEs to be allowlisted while still blocking others.
- Archive audit results as CI artefacts for compliance records.
- Differentiate between
dependenciesanddevDependencieswhen determining build failure.
3. GitHub Dependency Review on Pull Requests
The GitHub Dependency Review Action is enabled on all pull requests. When a PR introduces or updates a dependency, GitHub will:
- Compare the dependency manifest before and after the change.
- Surface any newly introduced vulnerable packages inline in the PR diff.
- Block PR merges (if branch protection is configured) when new high/critical vulnerabilities are detected.
Key Dependencies Covered
The following packages — among all others in the dependency tree — are now automatically checked on every CI run:
| Package | Why It Matters |
|---|---|
bcryptjs | Password and credential hashing |
next-auth | HMRC OAuth session management |
stripe | Payment processing |
@aws-sdk | Encrypted credential storage and S3/Secrets Manager access |
Developer Guidance
Resolving a Failed Audit
If your CI build fails due to a vulnerability, follow these steps:
- Run
npm auditlocally to view the full vulnerability report. - Run
npm audit fixto automatically apply safe, non-breaking upgrades where available. - For breaking upgrades, review the changelog of the affected package and update manually.
- If a vulnerability exists in a transitive dependency with no fix available, you may need to use
npm audit fix --forcecautiously, or override the dependency version inpackage.jsonusing theoverridesfield (npm v8.3+).
// package.json — forcing a safe transitive dependency version
"overrides": {
"vulnerable-transitive-package": ">=2.0.1"
}
Allowlisting a Known Acceptable Vulnerability
If a vulnerability is flagged but has been reviewed and accepted (e.g. no exploitable code path in this application), configure audit-ci with an allowlist rather than suppressing the entire audit:
// audit-ci.jsonc
{
"high": true,
"allowlist": ["GHSA-xxxx-xxxx-xxxx"]
}
All allowlisted CVEs must be documented with a justification in the PR that introduces the allowlist entry.
Compliance Notes
This control supports the platform's obligations under:
- HMRC's MTD security expectations for software accessing the ITSA APIs.
- OWASP Top 10 A06:2021 — Vulnerable and Outdated Components.
- Internal security policy requiring that no high or critical CVEs are present in production dependencies.
Related
- Changelog — v1.0.411
- GitHub Dependency Review Action: https://github.com/actions/dependency-review-action
- npm audit documentation: https://docs.npmjs.com/cli/v10/commands/npm-audit