OASB
v1.0
Controls/Supply Chain Integrity/6.4
L1 EssentialAutomated verification

6.4 Dependency Vulnerability Scanning

6. Supply Chain IntegrityHow do we trust components?

Description

All dependencies MUST be scanned for known vulnerabilities.

Rationale

Dependencies frequently contain known vulnerabilities. Regular scanning catches them before exploitation.

Audit Procedure

1. Run vulnerability scanner (npm audit, pip-audit)
2. Check for critical/high vulnerabilities
3. Verify scanning is in CI/CD

Remediation

1. Run regular vulnerability scans
2. Integrate scanning into CI/CD
3. Update vulnerable dependencies promptly

Framework Mappings

CIS Control 7.4NIST ID.RA-1OWASP LLM05:2023
Previous6.3 Rug Pull ProtectionNext6.5 Software Bill of Materials