Your dependencies are your attack surface — every third-party library can contain a known vulnerability. Log4Shell (CVE-2021-44228) demonstrated how a single vulnerability in a popular library endangered millions of applications. Automated dependency scanning in the CI/CD pipeline is the minimum — it finds known CVEs before they reach production. Manual review with hundreds of transitive dependencies is not realistic.
Tools¶
# Trivy (universal — containers, filesystem, IaC)
trivy fs .
trivy image myapp:latest
# npm
npm audit --audit-level=high
# Python
pip-audit
# Go
govulncheck ./...
Trivy is the most universal — it scans not only dependencies but also Docker images, Kubernetes manifests, and Terraform configuration. Snyk offers a developer-friendly UX with automatic fix PRs. npm audit and pip-audit are language-specific alternatives built into the ecosystem.
CI/CD¶
- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
severity: HIGH,CRITICAL
exit-code: 1
CI/CD integration ensures that no merge request with a critical vulnerability passes into the main branch. Set a severity threshold — block CRITICAL and HIGH, report WARNING. For container images, scan in both build and deploy phases, as new CVEs appear continuously.
Automated Updates¶
# Dependabot (.github/dependabot.yml)
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 10
Dependabot and Renovate automatically create pull requests with dependency updates. Combined with CI tests, this enables rapid response to security patches. Renovate offers more advanced configuration — auto-merge for minor/patch updates, grouping related updates, and scheduled maintenance windows.
Key Takeaway¶
Scan dependencies in your CI/CD pipeline, automate updates with Dependabot or Renovate. Trivy for universal scanning, language-specific tools as supplements.