Vulnerability and secrets hygiene

Evidence that you scan for known vulnerabilities and exposed secrets — and that you actually do something about the findings. "Scanner enabled" is not enough; auditors want the remediation record.

What goes here

• Dependency scanning configuration + remediation log
• Container / image scanning configuration + recent scan results
• Secret scanning configuration + remediation history
• Pen-test / red-team report (if any)

Owner

Platform typically owns scanner configuration; Security owns triage and remediation policy. Engineering owns the actual fixes.

Common gotchas

• Scanner enabled, alerts ignored. A flood of unread Dependabot alerts is worse than no scanner because it documents that you knew and didn't act. Set an SLA and triage actively.
• No bypass policy. When a critical CVE blocks a deploy, what's the documented exception process? "We just merged it" is not an acceptable answer; "Documented exception in the PR with mitigation
  • remediation timeline" is.
• Image scanning only at build, not deploy. A long-lived image may pass scan at build then accumulate CVEs as new ones are disclosed. Periodic rescan of in-production images closes this.
• Secret-scanning without push protection. Detection after a commit happens is fine; prevention of the push is better. GitHub Advanced Security supports push protection.

Cross-references

• Controls map: rows 4.1 – 4.4 in ../../controls-map.md
• Platform guides: per-platform scanner details in ../../platforms/
• Questionnaire answers: questions 8-9 in ../../questionnaire-answer-examples.md