Skip to content

πŸ” Dependency Scanning Strategy

πŸ› οΈ Herramientas

╔═══════════════════════════════════════════════════════════╗ β•‘ Tool β”‚ QuΓ© detecta β”‚ CuΓ‘ndo corre β•‘ ╠═════════════β•ͺ══════════════════════β•ͺ════════════════════╣ β•‘ Snyk β”‚ CVEs, licenses β”‚ PR + daily β•‘ β•‘ Dependabot β”‚ Outdated deps β”‚ Weekly β•‘ β•‘ npm audit β”‚ npm vulnerabilities β”‚ Pre-commit β•‘ β•‘ OWASP Dep β”‚ Java/.NET CVEs β”‚ CI build β•‘ β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

🎯 Severity Thresholds

Critical: Block merge, fix < 24h High: Block merge, fix < 1 week Medium: Warning, fix < 1 month Low: Info, fix when convenient

πŸ“‹ Response Process

  1. Alert triggered
  2. Automated notification sent to security channel

  3. Create tracking ticket automatically

  4. Review vulnerability details

  5. Check CVE database for details
  6. Assess actual impact on our codebase

  7. Determine exploitability in our context

  8. If false positive β†’ Document exemption

  9. Add to EXEMPTIONS.md
  10. Update scanner config to ignore

  11. Require security lead approval

  12. If real β†’ Patch or mitigate

  13. Update dependency if patch available
  14. Apply workaround if no patch exists

  15. Remove dependency if not critical

  16. Verify fix

  17. Re-run scanner
  18. Test application functionality

  19. Review for side effects

  20. Close ticket

  21. Document resolution
  22. Update runbooks if needed
  23. Schedule follow-up review

πŸ”„ Continuous Monitoring

Daily Scans

  • Run Snyk on main branch
  • Alert on new Critical/High findings
  • Auto-create tickets for new issues

Weekly Scans

  • Dependabot checks for updates
  • License compliance scan
  • Generate weekly report

Monthly Review

  • Review all open vulnerabilities
  • Re-assess exemptions
  • Update scanning policies
  • Review false positive rate

πŸ“Š Metrics to Track

  • Mean time to remediate (MTTR) by severity
  • Number of vulnerabilities introduced
  • False positive rate
  • Dependency freshness score
  • License compliance violations

🚫 Blocking Criteria

Block CI/CD if:

  • Critical vulnerability with known exploit
  • High vulnerability in production dependency
  • GPL/AGPL license in proprietary code
  • Dependency with no security updates in 2+ years

Warning only if:

  • Medium/Low vulnerabilities
  • DevDependency issues
  • Pre-release version issues