Evidence kitevidence-folder-template/04-vulnerability-secrets/dependency-scanning.md

Vulnerability & secrets

Dependency scanning

# Dependency scanning

Evidence that dependencies are scanned for known CVEs continuously, not once-and-forgotten — and that there's a written SLA for remediation.

Evidence to keep here

Scanner configuration — Dependabot / Renovate / Snyk config file or repo settings.
Remediation SLA — written policy on how fast each severity gets fixed.
Recent remediation log — last quarter's CVE alerts with their resolution (fixed via PR / accepted with mitigation / false positive).

Recommended SLA

A defensible SLA, in plain language:

Severity	SLA
Critical (CVSS ≥ 9.0, exploited in the wild)	Patched within 7 days
High (CVSS 7.0-8.9)	Patched within 30 days
Medium	Patched within 90 days or accepted with documented mitigation
Low	Patched at convenience; reviewed quarterly

Match the wording to your actual practice. If you can't hit 7 days for critical, document the real SLA and the compensating control (WAF rule, feature flag off, etc.).

How to gather it

GitHub Dependabot

# Config in repo
cp <repo>/.github/dependabot.yml dependabot-config-2026-05-15.yml

# Open + closed alerts
gh api repos/<owner>/<repo>/dependabot/alerts \
  --jq '[.[] | {number, severity, state, package: .dependency.package.name, fix_resolved: .fixed_at, created_at}]' \
  > dependabot-alerts-2026-05-15.json

Renovate

The Renovate config in renovate.json or .github/renovate.json. The dashboard issue (if you have one) is the log of merges and deferrals.

Snyk

snyk monitor --all-projects
# Then export from the Snyk web UI: Reports → Issues

Remediation log format

For each quarter:

# Dependency remediation — 2026 Q2

| Date       | CVE           | Severity | Package     | Action                                        | Closed     |
| ---------- | ------------- | -------- | ----------- | --------------------------------------------- | ---------- |
| 2026-04-12 | CVE-2026-1234 | Critical | lodash      | Patched in #1234                              | 2026-04-13 |
| 2026-04-15 | CVE-2026-2345 | High     | next        | Patched in #1240                              | 2026-04-22 |
| 2026-05-02 | CVE-2026-3456 | Medium   | tailwindcss | False positive (not used)                     | 2026-05-04 |
| 2026-05-10 | CVE-2026-4567 | Medium   | undici      | Mitigation in place; tracked for next quarter | open       |

Sample answer for the questionnaire

Dependencies are scanned continuously by {{Dependabot / Renovate / Snyk}}. Critical CVEs are remediated within 7 days, high within 30 days, medium within 90 days. See dependency-scanning.md for the SLA and the most recent remediation log.

Example filenames

dependabot-config-2026-05-15.yml
dependabot-alerts-2026-05-15.json
remediation-log-2026-Q2.md

Refresh

Quarterly remediation log. SLA changes only when policy changes.