Stage 5 · Platform
Testing & Quality Gates
Dependency Scanning
Using Dependabot, npm audit, pip-audit, Trivy, and OSV-Scanner to catch vulnerable packages.
Dependency Risks
Modern applications depend on hundreds of packages. Each package is a potential attack vector. Supply chain attacks like Log4Shell, ua-parser-js, and event-stream have shown that compromised dependencies can affect millions of applications. Dependency scanning is not optional — it is essential.
Dependency scanning checks your dependencies against known vulnerability databases. It identifies packages with CVEs, outdated versions, and license compliance issues. Combined with automated updates, it keeps your dependency tree secure.
Dependabot
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
time: "06:00"
timezone: "America/New_York"
open-pull-requests-limit: 10
reviewers:
- "myorg/security-team"
labels:
- "dependencies"
- "security"
groups:
minor-and-patch:
update-types:
- "minor"
- "patch"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
groups:
actions:
patterns:
- "*"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"Dependabot creates PRs for dependency updates automatically. The groups configuration batches minor and patch updates into a single PR, reducing PR noise. Separate configurations for npm, Actions, and Docker address different dependency types.
npm audit
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
cache: npm
- run: npm ci
- name: Run npm audit
run: |
npm audit --audit-level=high
npm audit --json > audit-results.json || true
- name: Check for critical vulnerabilities
run: |
CRITICAL=$(node -e "
const audit = require('./audit-results.json');
const critical = audit.metadata?.vulnerabilities?.critical || 0;
console.log(critical);
")
if [ "$CRITICAL" -gt 0 ]; then
echo "::error::Found $CRITICAL critical vulnerabilities"
npm audit --omit=dev
exit 1
fi
- name: Dependency review
uses: actions/dependency-review-action@v4
if: github.event_name == 'pull_request'
with:
fail-on-severity: high
deny-licenses: GPL-3.0, AGPL-3.0npm audit checks for known vulnerabilities. --audit-level=high fails on high and critical vulnerabilities. The dependency-review-action blocks PRs that introduce new vulnerabilities or prohibited licenses.
pip-audit
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install pip-audit
- name: Audit dependencies
run: |
pip-audit \
--require-hashes \
--progress-spinner=off \
--output pip-audit-results.json \
--format json
- name: Fail on high-severity
run: |
pip-audit --severity highpip-audit checks Python dependencies against the OSV database. --require-hashes ensures only verified packages are audited. The JSON output enables custom filtering and reporting.
Trivy
jobs:
trivy-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan filesystem for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-fs.sarif
severity: HIGH,CRITICAL
- name: Build Docker image
run: docker build -t myapp:${{ github.sha }} .
- name: Scan Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: myapp:${{ github.sha }}
format: sarif
output: trivy-image.sarif
severity: HIGH,CRITICAL
- name: Upload results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_files: trivy-fs.sarif,trivy-image.sarif
category: trivy
- name: Fail on critical
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
exit-code: 1
severity: CRITICALTrivy scans both the filesystem (dependencies) and container images. It uses the OSV and NVD databases for vulnerability data. The SARIF upload creates inline annotations on the PR. The final step fails the pipeline on critical vulnerabilities.
OSV-Scanner
jobs:
osv-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install OSV-Scanner
run: |
curl -sSfL https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -o osv-scanner
chmod +x osv-scanner
sudo mv osv-scanner /usr/local/bin/
- name: Scan dependencies
run: |
osv-scanner --lockfile=package-lock.json --format=json --output=osv-results.json
osv-scanner --lockfile=package-lock.json
- name: Vulnerability check
run: |
VULNS=$(jq '.results[0].packages | length' osv-results.json 2>/dev/null || echo "0")
if [ "$VULNS" -gt 0 ]; then
echo "::warning::Found $VULNS vulnerable packages"
jq '.results[0].packages[] | "(.package.name): (.vulnerabilities[0].id)"' osv-results.json
fiOSV-Scanner uses Google's OSV database, which aggregates data from multiple vulnerability sources. It supports lock files directly and provides both human-readable and machine-readable output.
Use multiple tools for defense in depth. Dependabot for automated updates, npm audit for known CVEs, Trivy for container scanning, and OSV-Scanner for cross-ecosystem coverage. No single tool catches everything.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.