Automated dependency scanning in CI/CD:
Tools scan every dependency on every build. Any component with a known CVE fails the build before it ships.
Tools:
Dependabot (GitHub) — opens PRs for vulnerable dependencies automatically
Snyk — scans npm, Maven, pip, Go modules; integrates with CI
OWASP Dependency-Check — open source, runs in pipelines
Trivy — scans container images for vulnerable OS packages and libraries
Syft + Grype — generate SBOM and scan it for CVEs
Process:
Know every dependency and its version (SBOM)
Subscribe to CVE feeds for your technology stack
Apply patches within 24 hours for CVSS 9+
Remove unused dependencies — every package is attack surface
Prefer actively maintained libraries with security track records
Notable incidents:
2020 SolarWinds — malicious code injected into a software build process, shipped to 18,000 customers
2021 Log4Shell — 100M+ servers vulnerable, nation-state exploitation within hours
2022 Text4Shell — same pattern, different library
SolarWinds 2020: Attackers compromised the SolarWinds Orion build system. A malicious update was signed and shipped to 18,000 customers including US government agencies. The attackers were inside networks for 9 months before detection. This was not a vulnerability in SolarWinds code — it was a compromised component in their supply chain. The most significant supply chain attack in history.