PCI-DSS 4.0 Req 11.3 requires that vulnerabilities in system components are identified and addressed via a vulnerability management program; Req 6.3 requires that security vulnerabilities are identified and ranked by risk. Without automated scheduled scanning, a critical CVE in an npm dependency or a container base image can linger for months before anyone notices. SLSA L2 requires build provenance and dependency tracking. CWE-1357 (Reliance on Uncontrolled Component) is exploitable whenever a dependency with a known CVE is in the production dependency tree and no process monitors for it.
High because undetected vulnerabilities in dependencies or infrastructure components accumulate silently and create exploitable attack surfaces that a scheduled scanner would catch within days of CVE publication.
Configure at least one automated vulnerability scanner on a weekly or daily schedule in CI/CD — manual npm audit runs don't satisfy PCI-DSS 4.0 Req 11.3 because they are not continuous. Use both Dependabot for dependency updates and Trivy for container/filesystem scanning.
# .github/workflows/security-scan.yml
on:
schedule:
- cron: '0 2 * * 0' # Weekly Sunday 02:00 UTC
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
format: sarif
output: trivy-results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
Also add .github/dependabot.yml with interval: weekly so dependency PRs are opened automatically — the scanner finds issues; Dependabot fixes them.
ID: ecommerce-pci.network-security.vulnerability-scanning
Severity: high
What to look for: Count all vulnerability scanning tools configured in the project. Check for at least 1 of: snyk, trivy, npm audit, dependabot, renovate, grype, or CodeQL in dependencies, GitHub Actions workflows, or CI/CD pipeline configs. For each scanner found, check whether it runs on a schedule (cron expression or schedule: config). Count the number of scan schedule configurations. Enumerate all .github/workflows/*.yml and CI config files and check for security scan steps.
Pass criteria: At least 1 automated vulnerability scanner is configured with a scheduled run frequency of at least weekly (cron expression with at least weekly interval, or schedule: interval: daily/weekly). At least 1 of: GitHub Actions workflow with security scan, Dependabot config (.github/dependabot.yml), or CI pipeline with scan step. Report: "X scanning tools found, Y with scheduled runs."
Fail criteria: No vulnerability scanning tools configured, or scanning exists but has no schedule (manual-only, no cron or schedule config). Does not count as pass when only npm audit exists as a manual script without CI/CD integration.
Skip (N/A) when: No CDE infrastructure to scan (no deployable application, no dependencies, no infrastructure code).
Detail on fail: Describe the gap. Example: "0 vulnerability scanners found in .github/workflows/ or CI config. No dependabot.yml present. npm audit exists in package.json scripts but is not automated." or "Trivy configured in CI but runs only on push (no schedule). 0 scheduled scans."
Remediation: Set up automated scanning. Using GitHub Actions:
# .github/workflows/security-scan.yml
name: Vulnerability Scan
on:
schedule:
- cron: '0 2 * * 0' # Weekly on Sunday at 2 AM
push:
branches: [main]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload to GitHub Security
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Run npm audit
run: npm audit --audit-level=moderate
- name: Snyk scan
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
Also enable Dependabot in dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
reviewers: ["security-team"]