Dependency Audit Guide
CVE Severity Levels (CVSS v3)
| Severity | CVSS Score | Action |
|---|---|---|
| Critical | 9.0 – 10.0 | Patch immediately (same day) |
| High | 7.0 – 8.9 | Patch within 1 week |
| Medium | 4.0 – 6.9 | Patch within 1 month |
| Low | 0.1 – 3.9 | Patch in next release |
npm / Node.js
# Run security audit npm audit # Auto-fix safe updates npm audit fix # Fix including breaking changes (test first!) npm audit fix --force # JSON output for CI integration npm audit --json | jq '.vulnerabilities' # Check specific package npm audit --package-lock-only
Go / Python / Java
# Go: check for known vulnerable modules
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Python: safety check
pip install safety
safety check --full-report
# Java: OWASP Dependency Check
mvn org.owasp:dependency-check-maven:check
# GitHub Dependabot (all languages)
# Add .github/dependabot.yml:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule: { interval: "weekly" }
Snyk Integration
# Install Snyk CLI npm install -g snyk # Authenticate snyk auth # Test for vulnerabilities snyk test # Monitor continuously snyk monitor # Fix automatically snyk fix # CI/CD (fail build on high severity) snyk test --severity-threshold=high
Dependency Audit Policy
- ☐ Run audit on every PR in CI/CD
- ☐ Block merges with critical/high vulnerabilities
- ☐ Weekly automated dependency updates (Dependabot/Renovate)
- ☐ Maintain Software Bill of Materials (SBOM)