Dependency vulnerability scanning enabled

ab-002394 · security-hardening.secrets-config.dependency-vuln-scanning

Severity: lowactive

Why it matters

Known vulnerabilities in dependencies are one of the most reliable attack paths for automated exploitation. CWE-1357 (Reliance on Insufficiently Trustworthy Component) and OWASP A06 (Vulnerable and Outdated Components) document that unpatched CVEs are commonly exploited within days of public disclosure. NIST 800-53 SA-10 and SSDF PW.4 both require regular assessment of component security. Projects without automated scanning may not discover a critical CVE in a transitive dependency until a breach occurs. Dependabot or npm audit in CI catches these before they ship to production.

Severity rationale

Low because vulnerability scanning prevents exploitation of known CVEs — the risk is low only when scanning runs continuously; without it, the effective severity of any undetected CVE is unbounded.

Remediation

Add Dependabot and an npm audit gate to your CI pipeline:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly

# .github/workflows/ci.yml
- name: Audit dependencies
  run: npm audit --audit-level=high

Merge Dependabot PRs for high/critical CVEs within 72 hours. For false positives or dev-only dependencies, use .npmrc audit-level overrides, not blanket suppression.

Detection

ID: dependency-vuln-scanning
Severity: low
What to look for: Count all CI/CD pipelines and check whether dependency scanning (npm audit, Snyk, Dependabot, Renovate) is configured. look for dependency vulnerability scanning configured in the project. Check for Dependabot configuration (.github/dependabot.yml), Renovate config (renovate.json), Snyk config (.snyk), or evidence that npm audit or yarn audit is run in CI/CD workflows (.github/workflows/). Also check if the project's GitHub repository has security alerts enabled.
Pass criteria: Dependency vulnerability scanning is configured and runs automatically on PRs or on a regular schedule. High and critical CVEs trigger alerts or block deployment — at least 1 automated scanning tool running on every build. Report: "X CI/CD pipelines found, Y include dependency scanning."
Fail criteria: No automated dependency scanning configured. npm audit not in CI pipeline. No Dependabot, Renovate, or Snyk integration.
Skip (N/A) when: Never — all projects with dependencies should have vulnerability scanning.
Detail on fail: "No dependency vulnerability scanning configured — .github/dependabot.yml not found and npm audit not in CI pipeline" or "Dependabot configured for version updates but security alerts not separately enabled"

Remediation: Add Dependabot with security alerts:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: npm
    directory: /
    schedule:
      interval: weekly
    open-pull-requests-limit: 10

Add npm audit to your CI pipeline:

# .github/workflows/security.yml
- name: Check for vulnerabilities
  run: npm audit --audit-level=high

Or install Snyk for richer reporting: npx snyk test --severity-threshold=high.

External references

cwe · CWE-1357 — Reliance on Insufficiently Trustworthy Component
owasp:2021 · A06 — Vulnerable and Outdated Components
nist:rev5 · SA-10 — Developer Configuration Management
ssdf:800-218 · PW.4 — Reuse Existing, Well-Secured Software

Taxons

supply-chain

History

2026-04-18·v1.0.0·Initial import from security-hardening·automated