Security Scanning

Quick Start

• Secrets: fail fast; rotate on exposure.
• Dependencies: gate critical/high; automate updates.
• SAST: start high-signal; ratchet over time.
• Open Source Safety: score components on three axes — license tier, severity-weighted CVEs, obsolescence.
• Exceptions: require reason, owner, and expiry.

Open Source Safety

Third-party component risk is more than "vulnerable: yes/no". Evaluate each component on three independent dimensions and gate on the worst: