CMMC 2.0 SI.L1-3.14.1 (NIST 800-171r2 3.14.1) requires that organizations identify information system flaws, report them, and correct them. Known vulnerabilities in npm dependencies — tracked in CVE databases and surfaced by tools like npm audit — represent documented attack vectors. A critical vulnerability in a dependency used in an FCI-handling system is a direct compliance finding if no scanning process exists. CWE-1395 and SSDF RV.2 (Verify and Validate Software) require automation so that new CVEs are caught promptly rather than discovered only when exploited. Without a committed lock file, builds are not reproducible and vulnerability scanning results are inconsistent.
High because known critical CVEs in production dependencies represent documented, weaponized attack paths — not theoretical risks — that automated scanning would detect automatically.
Add Dependabot for weekly automatic PR generation on vulnerable packages, and add npm audit to every CI run so builds fail before merging new vulnerabilities:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'weekly'
open-pull-requests-limit: 10
# .github/workflows/security.yml
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm audit --audit-level=high
Commit package-lock.json to version control — without it, npm audit produces results against a different dependency tree than what is actually deployed. Run npm audit locally before the first commit to establish a clean baseline.
ID: gov-cmmc-level-1.system-integrity.flaw-remediation
Severity: high
CMMC Practice: SI.L1-3.14.1
What to look for: Check for automated dependency vulnerability scanning configuration. Look for .github/dependabot.yml or .github/renovate.json for automated update configuration. Examine CI/CD workflow files (.github/workflows/*.yml) for security scanning steps (npm audit, snyk, trivy, or similar). Check package-lock.json or yarn.lock for the presence of a committed lock file (no lock file means reproducible builds are impossible). Look at dependency versions — if major versions are far behind their latest releases, that signals a lack of update discipline.
Pass criteria: List all automated vulnerability scanning tools configured in the project. At least 1 scanning tool is configured (Dependabot, Snyk, Renovate, or similar). CI/CD pipeline includes vulnerability scanning. Lock file is committed. No more than 0 known critical vulnerabilities in current dependencies. Report: "X scanning tools configured; lock file [present/absent]; Y known critical vulnerabilities."
Fail criteria: No automated vulnerability scanning configured. No CI/CD security scan step. Lock file absent or not committed. Known critical vulnerabilities present in the dependency tree.
Skip (N/A) when: Never — all projects with external dependencies must track vulnerabilities.
Detail on fail: Identify the scanning gap. Example: "No dependabot.yml, no Snyk config, no npm audit in CI. package-lock.json not committed. npm audit shows 3 critical vulnerabilities in serialize-javascript and lodash." Keep under 500 characters.
Remediation: Configure automated vulnerability scanning and add security checks to CI:
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'weekly'
open-pull-requests-limit: 10
# .github/workflows/security.yml
name: Security Scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: '0 8 * * 1'
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm audit --audit-level=high
Commit your lock file so builds are reproducible and auditable:
git add package-lock.json
git commit -m "chore: commit lock file for reproducible builds and security auditing"