Your dependencies are your attack surface. Automated scanning finds known CVEs in libraries.
Tools¶
# Trivy (universal)
trivy fs .
trivy image myapp:latest
# npm
npm audit --audit-level=high
# Python
pip-audit
# Go
govulncheck ./...
CI/CD¶
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
severity: HIGH,CRITICAL
exit-code: 1
Automated Updates¶
# Dependabot (.github/dependabot.yml)
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 10
Key Takeaway¶
Scan dependencies in CI/CD, automate updates with Dependabot/Renovate.
securitydependenciestrivysnyk