Scan dependencies and images for vulnerabilities in CI

Scan dependencies and images for vulnerabilities in CI | BeforeMerge Rules | BeforeMerge

Why this matters

Most exploited vulnerabilities are already publicly known. Scanning dependencies and container images on every build — and failing on critical/high CVEs — catches them before they reach production.

Bad

# no scanning; vulnerable lodash + outdated base image ship freely

Good

steps:
  - run: npm audit --audit-level=high
  - uses: aquasecurity/trivy-action@master
    with: { image-ref: "app:$SHA", severity: "CRITICAL,HIGH", exit-code: "1" }

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters