Security Scanning & Vulnerability Management — FRD
Status: Draft, 2026-03-31 Version: 1.0 Source:
docs/Smackz-Phase2/Security-Scanning-FRD.mdNFRs addressed: NFR-SEC-12, NFR-SEC-13, NFR-SEC-14, NFR-SEC-15 Companion: Platform NFR Governance
Problem
A full audit of all 15+ SMACKZ repositories, 19 GitHub Actions workflows, 10 Dockerfiles, and GitHub organisation settings on 2026-03-31 found zero vulnerability scanning of any kind across any stack or environment.
| Area | Finding |
|---|---|
| Dependency scanning (Node.js) | npm audit absent from all 12 Node.js CI pipelines |
| Dependency scanning (Python) | pip-audit / safety absent from all 3 Python CI pipelines |
| Dependabot | No .github/dependabot.yml in any repository |
| Container image scanning | No Trivy, Grype, Anchore, or Docker Scout in any deployment pipeline |
| Docker base image pinning | All 10 Dockerfiles use floating tags (node:22-alpine, python:3.12-slim) |
| Non-root containers | Only 2 of 10 Dockerfiles enforce a non-root user |
| SAST | No CodeQL, Semgrep, Bandit, or equivalent tool configured anywhere |
| Secret scanning | GitHub Advanced Security disabled on all repos; no gitleaks / trufflehog |
| Org 2FA enforcement | Not set on Smackz-LLC organisation |
| Public repo creation | Members can create public repos (enabled) |
| Branch protection | No rules found on any main or staging branch |
This means known CVEs in production dependencies, compromised base images, hardcoded credentials, and privilege escalation vulnerabilities can all exist and ship undetected.
Recommendation
Five-epic implementation (~8 dev-days across 4 sprints):
| Epic | Scope |
|---|---|
| 1. SCA | Add npm audit --audit-level=high to all 12 Node CI gates; add pip-audit to all 3 Python CI gates; configure Dependabot weekly. |
| 2. Container CVE | Add trivy image scan to all 8 deployment workflows; block deploys on CVSS ≥ 7.0. |
| 3. Container hardening | Pin all 10 Dockerfile base images to digest; add non-root USER to all 8 missing containers. |
| 4. SAST + secrets | Enable CodeQL (JS/TS + Python); add Bandit (Python); enable GitHub push protection for secrets. |
| 5. Org baseline | Enforce 2FA org-wide; disable public repo creation; enable GitHub Advanced Security; configure branch protection on main / staging. |
Implementation Roadmap
| Sprint | Epics | Effort |
|---|---|---|
| 1 | Org settings (ORG-01–04, ORG-07–10) + npm/pip audit (SCA-01–07) | 1.5 days |
| 2 | Base image pinning (DOCK-01–04) + non-root USER (DOCK-05–08) + Trivy (IMG-01–05) | 3.5 days |
| 3 | Dependabot config (SCA-09–12) + GitHub secret scanning (SAST-08–11) | 1 day |
| 4 | CodeQL (SAST-01–04) + Bandit (SAST-05–07) + branch protection (ORG-05–06) | 2 days |
Acceptance Criteria
npm audit --audit-level=highpasses on all 12 Node PR gates.pip-auditpasses on all Python gates.- Trivy runs on all deployment workflows; deploys blocked on CVSS ≥ 7.0.
- All 10 Dockerfiles use digest-pinned base images and a non-root
USER. - CodeQL and GitHub Advanced Security enabled org-wide.
- Branch protection enforced on
mainandstagingfor all repos.
Scope
In: Dependency scanning, container image CVE scanning, SAST (CodeQL/Bandit), secret scanning (GitHub Advanced Security + gitleaks), org-level hardening.
Out: RASP, penetration testing, DAST, IaC scanning, licence compliance.