Security Scanning
Quick Start
- Secrets: fail fast; rotate on exposure.
- Dependencies: gate critical/high; automate updates.
- SAST: start high-signal; ratchet over time.
- Open Source Safety: score components on three axes — license tier, severity-weighted CVEs, obsolescence.
- Exceptions: require reason, owner, and expiry.
Open Source Safety
Third-party component risk is more than "vulnerable: yes/no". Evaluate each component on three independent dimensions and gate on the worst:
- License risk: HIGH = strong copyleft / GPL/AGPL/LGPL (whole-app disclosure risk);
MEDIUM = weak copyleft / MPL, EPL (modification disclosure only); LOW = permissive /
MIT, Apache-2.0, BSD. Unknown/
NOASSERTION→ treat as HIGH until identified. - CVE weighting: weight by severity (critical ≫ high ≫ medium ≫ low) rather than raw counts; critical/high block, medium/low track with owner + expiry.
- Obsolescence: score the gap to latest version; majors-behind or unmaintained upstream is elevated risk.
See references/open-source-safety.md for the full framework, tier tables, the CVE
weighting model, obsolescence scoring, and the transitive-dependency trust model.
Load Next (References)
references/tooling-matrix.mdreferences/ci-workflows.mdreferences/triage-and-remediation.mdreferences/common-findings-and-fixes.mdreferences/supply-chain-and-sbom.mdreferences/open-source-safety.md