Skip to content

SCA remediation policy

Software Composition Analysis (SCA) for third-party dependenciesgo.mod, GitHub Actions, and container base images. Application SAST and secret scanning are governed separately in coding-standards.md and SECURITY.md.

OSPS-VM-05.01 compliance

This policy defines remediation thresholds for SCA findings on vulnerabilities and licenses.

Remediation thresholds

Clock starts when a finding is first reported by govulncheck, Dependabot/Renovate, Trivy, or manual SBOM review.

Vulnerability findings

Severity band Remediation threshold If exceeded
Critical (CVSS ≥ 9.0) 7 calendar days Release blocker
High (7.0–8.9) 30 calendar days Release blocker
Medium (4.0–6.9) 90 calendar days Track in issue/Dependabot
Low (< 4.0) Next minor release Best-effort

Zero-tolerance gates:

Finding Merge Tagged release
Reachable vulnerability (govulncheck ./...) Must pass task vuln:check in CI Must pass on release commit
Fixable CRITICAL/HIGH in release image (Trivy) N/A Release workflow fails

License findings

MKurator is MIT-licensed.

License class Examples Action
Allow MIT, ISC, BSD, Apache-2.0 Permitted
Review MPL-2.0, LGPL (library use) Review within 90 days; SBOM at release
Deny GPL, AGPL, proprietary, UNKNOWN Remove/replace before merge

Detection tools

Tool Finds When Location
govulncheck Go CVEs in imported packages PR + weekly ci.yaml test, vulncheck.yaml
Dependabot Actions + gomod updates Weekly .github/dependabot.yml
Renovate IBM MQ chart/image, Taskfile tools Weekly renovate.json
Trivy Image CRITICAL/HIGH Release tag release.yaml
Release SBOM SPDX inventory Release dist/sbom.spdx.json

Enforcement model

  • Merge: maintainer requires green CI including govulncheck on PRs.
  • Release: Trivy + SBOM review before v*.*.* tag; cosign signatures on image, chart, and release assets.

Exceptions require maintainer approval documented in release notes or .trivyignore with comment.