Vulnerability scanning is scheduled for CDE infrastructure

ab-001188 · ecommerce-pci.network-security.vulnerability-scanning

Severity: highactive

Why it matters

PCI-DSS 4.0 Req 11.3 requires that vulnerabilities in system components are identified and addressed via a vulnerability management program; Req 6.3 requires that security vulnerabilities are identified and ranked by risk. Without automated scheduled scanning, a critical CVE in an npm dependency or a container base image can linger for months before anyone notices. SLSA L2 requires build provenance and dependency tracking. CWE-1357 (Reliance on Uncontrolled Component) is exploitable whenever a dependency with a known CVE is in the production dependency tree and no process monitors for it.

Severity rationale

High because undetected vulnerabilities in dependencies or infrastructure components accumulate silently and create exploitable attack surfaces that a scheduled scanner would catch within days of CVE publication.

Remediation

Configure at least one automated vulnerability scanner on a weekly or daily schedule in CI/CD — manual npm audit runs don't satisfy PCI-DSS 4.0 Req 11.3 because they are not continuous. Use both Dependabot for dependency updates and Trivy for container/filesystem scanning.

# .github/workflows/security-scan.yml
on:
  schedule:
    - cron: '0 2 * * 0'  # Weekly Sunday 02:00 UTC
  push:
    branches: [main]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          format: sarif
          output: trivy-results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

Also add .github/dependabot.yml with interval: weekly so dependency PRs are opened automatically — the scanner finds issues; Dependabot fixes them.

Detection

ID: vulnerability-scanning
Severity: high
What to look for: Count all vulnerability scanning tools configured in the project. Check for at least 1 of: snyk, trivy, npm audit, dependabot, renovate, grype, or CodeQL in dependencies, GitHub Actions workflows, or CI/CD pipeline configs. For each scanner found, check whether it runs on a schedule (cron expression or schedule: config). Count the number of scan schedule configurations. Enumerate all .github/workflows/*.yml and CI config files and check for security scan steps.
Pass criteria: At least 1 automated vulnerability scanner is configured with a scheduled run frequency of at least weekly (cron expression with at least weekly interval, or schedule: interval: daily/weekly). At least 1 of: GitHub Actions workflow with security scan, Dependabot config (.github/dependabot.yml), or CI pipeline with scan step. Report: "X scanning tools found, Y with scheduled runs."
Fail criteria: No vulnerability scanning tools configured, or scanning exists but has no schedule (manual-only, no cron or schedule config). Does not count as pass when only npm audit exists as a manual script without CI/CD integration.
Skip (N/A) when: No CDE infrastructure to scan (no deployable application, no dependencies, no infrastructure code).
Detail on fail: Describe the gap. Example: "0 vulnerability scanners found in .github/workflows/ or CI config. No dependabot.yml present. npm audit exists in package.json scripts but is not automated." or "Trivy configured in CI but runs only on push (no schedule). 0 scheduled scans."

Remediation: Set up automated scanning. Using GitHub Actions:

# .github/workflows/security-scan.yml
name: Vulnerability Scan

on:
  schedule:
    - cron: '0 2 * * 0' # Weekly on Sunday at 2 AM
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Run npm audit
        run: npm audit --audit-level=moderate

      - name: Snyk scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Also enable Dependabot in dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers: ["security-team"]

External references

pci-dss:4.0 · Req 11.3 — External and internal vulnerabilities are regularly identified, prioritized, and addressed
pci-dss:4.0 · Req 6.3 — Security vulnerabilities are identified and addressed
cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component
nist:rev5 · RA-5 — Vulnerability Monitoring and Scanning
slsa:1.0 · L2 — Provenance verification

Taxons

supply-chain regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from ecommerce-pci·automated

Why it matters

Remediation

# .github/workflows/security-scan.yml
on:
  schedule:
    - cron: '0 2 * * 0'  # Weekly Sunday 02:00 UTC
  push:
    branches: [main]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          format: sarif
          output: trivy-results.sarif
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif

Also add .github/dependabot.yml with interval: weekly so dependency PRs are opened automatically — the scanner finds issues; Dependabot fixes them.

Detection

ID: vulnerability-scanning
Severity: high
What to look for: Count all vulnerability scanning tools configured in the project. Check for at least 1 of: snyk, trivy, npm audit, dependabot, renovate, grype, or CodeQL in dependencies, GitHub Actions workflows, or CI/CD pipeline configs. For each scanner found, check whether it runs on a schedule (cron expression or schedule: config). Count the number of scan schedule configurations. Enumerate all .github/workflows/*.yml and CI config files and check for security scan steps.
Pass criteria: At least 1 automated vulnerability scanner is configured with a scheduled run frequency of at least weekly (cron expression with at least weekly interval, or schedule: interval: daily/weekly). At least 1 of: GitHub Actions workflow with security scan, Dependabot config (.github/dependabot.yml), or CI pipeline with scan step. Report: "X scanning tools found, Y with scheduled runs."
Fail criteria: No vulnerability scanning tools configured, or scanning exists but has no schedule (manual-only, no cron or schedule config). Does not count as pass when only npm audit exists as a manual script without CI/CD integration.
Skip (N/A) when: No CDE infrastructure to scan (no deployable application, no dependencies, no infrastructure code).
Detail on fail: Describe the gap. Example: "0 vulnerability scanners found in .github/workflows/ or CI config. No dependabot.yml present. npm audit exists in package.json scripts but is not automated." or "Trivy configured in CI but runs only on push (no schedule). 0 scheduled scans."

Remediation: Set up automated scanning. Using GitHub Actions:

# .github/workflows/security-scan.yml
name: Vulnerability Scan

on:
  schedule:
    - cron: '0 2 * * 0' # Weekly on Sunday at 2 AM
  push:
    branches: [main]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Run npm audit
        run: npm audit --audit-level=moderate

      - name: Snyk scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Also enable Dependabot in dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    reviewers: ["security-team"]

External references

pci-dss:4.0 · Req 11.3 — External and internal vulnerabilities are regularly identified, prioritized, and addressed

pci-dss:4.0 · Req 6.3 — Security vulnerabilities are identified and addressed

cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component

nist:rev5 · RA-5 — Vulnerability Monitoring and Scanning

slsa:1.0 · L2 — Provenance verification