View on Github
Vulnerability Scanning — SCA

Vulnerability Scanning — SCA #

Control ID: SDLC-CTRL-0021 | Type: Preventive

Summary #

Software Composition Analysis (SCA) identifies known vulnerabilities (CVEs) in third-party dependencies, libraries, and other software components before they are deployed to production.

Mitigates Risk

SDLC-RISK-0001:
Supply Chain Compromise
SDLC-RISK-0005:
Vulnerable Software in Production

Description #

Modern software relies heavily on open-source and third-party components, which may contain publicly disclosed vulnerabilities (CVEs) or be subject to supply chain compromise. SCA provides automated, continuous analysis of all software dependencies to detect known security flaws, outdated packages, and licence compliance issues.

Unpatched vulnerabilities in production systems represent a material operational and compliance risk. Dependency scanning maintains visibility into the software supply chain, enabling rapid response when new vulnerabilities are disclosed — even without code changes, as new CVEs are published daily.

Requirements #

  • Application dependencies MUST be scanned for known vulnerabilities as part of the CI/CD pipeline
  • Dependency scanning MUST be automated — manual-only review is not sufficient as a primary control
  • Scanning MUST cover all relevant ecosystems in use (e.g. npm, PyPI, Go modules, system packages)
  • Vulnerability findings MUST be classified by severity and tracked to resolution
  • SCA scan results MUST be recorded as attestations linked to the artefact
  • A documented exception process MUST exist for vulnerabilities that cannot be immediately remediated

How we implement this control #

  • We use Snyk Open Source to scan dependencies in our CI/CD pipelines
  • SCA scan results are recorded as attestations in our Kosli Flows
  • We control that no artefact with missing or failed SCA scans runs in production

Additionally:

  • We run continuous nightly Snyk scans on containers in production in case new vulnerabilities are found in running assets

Compliance Frameworks #

NIST SP 800-53 Rev. 5
  • RA-5 — Vulnerability monitoring and scanning — SCA identifies known vulnerabilities (CVEs) in third-party dependencies.
  • SI-2 — Flaw remediation — vulnerabilities found in dependencies must be triaged and remediated.
  • SI-3 — Malicious code protection — SCA detects compromised or malicious packages in the dependency tree.
  • CM-8 — System component inventory — SCA provides visibility into the software composition of each artefact.
  • SA-9 — External system services — third-party libraries are external components that must be assessed for risk.
  • SA-22 — Unsupported system components — SCA identifies end-of-life or unmaintained dependencies.
SOC 2 Type II
  • CC7.1 — Requires detection of vulnerabilities in system components; SCA identifies known vulnerabilities in third-party dependencies.
  • CC8.1 — Requires changes to be tested; SCA scanning is a required gate in the change management pipeline.
  • CC3.2 — Requires identification and assessment of risks; SCA provides visibility into the risk profile of the software supply chain.
The Secure SDLC Process Template is maintained by
© Kosli 2026, all rights reserved
CCPA Do not sell my info