Pro audit program · v1.0

Dependency & Supply Chain Audit

Most apps are 90% open-source dependencies. Quick check on SBOM, scanning, pinning, and what happens when a high-CVE library drops.

General target area
NIST SSDF / SLSA framework
6 controls in this program
Cyentrix Cyentrix Trusted Author

Sign in to run → Back to library

About this program

Most apps are 90% open-source dependencies. Quick check on SBOM, scanning, pinning, and what happens when a high-CVE library drops.

Controls (6)

SBOM generated per build (CycloneDX / SPDX)
High

SBOM generated per build (CycloneDX / SPDX)

How to test + evidence

Testing procedure: CI emits and stores an SBOM per release.

Evidence to collect: SBOM artefact + retention.
SCA scanning blocks builds on critical CVEs
Critical

SCA scanning blocks builds on critical CVEs

How to test + evidence

Testing procedure: Software composition analysis scans dependencies; high / critical CVEs fail the build.

Evidence to collect: SCA tool + policy.
Dependency lockfile committed + reviewed
High

Dependency lockfile committed + reviewed

How to test + evidence

Testing procedure: package-lock / go.sum / Cargo.lock / poetry.lock under review.

Evidence to collect: Repo settings.
Package registry allowlist (private mirror)
High

Package registry allowlist (private mirror)

How to test + evidence

Testing procedure: Builds pull from a private proxy / mirror; not direct from public registries.

Evidence to collect: Registry config.
Automated CVE alerts on monitored deps
High

Automated CVE alerts on monitored deps

How to test + evidence

Testing procedure: Dependabot / Renovate / equivalent opens PRs on new CVEs.

Evidence to collect: Tool config + last PR.
Signed releases / SLSA provenance
Medium

Signed releases / SLSA provenance

How to test + evidence

Testing procedure: Build artefacts signed; provenance attestation generated.

Evidence to collect: Signing config + sample.