| name | dependency-governance |
| description | Govern third-party and OSS dependencies via SBOM, SLSA, OpenSSF Scorecard, and license policy. Use when establishing supply-chain controls, responding to CVE pressure, or preparing for SOC 2 / EU CRA audits. |
Dependency Governance
Modern systems are mostly other people's code. Dependency governance turns supply chain into a managed risk: every artifact has a verified provenance, a Software Bill of Materials, a license posture, and a refresh cadence enforced in CI and at admission.
Stack Baseline (2026)
| Concern | Recommended |
|---|
| SBOM format | CycloneDX 1.6, SPDX 3.0 |
| Provenance | SLSA v1.0 (target Build L3), in-toto attestations |
| Signing | Sigstore (cosign), Rekor transparency log |
| Health scoring | OpenSSF Scorecard, deps.dev |
| Vulnerability | OSV.dev, GitHub Advisory, Trivy, Grype, Dependency-Track |
| License | ScanCode, FOSSA, ORT; SPDX expressions |
| Updates | Renovate / Dependabot with grouped, scheduled PRs |
| Admission | Kyverno / OPA Gatekeeper verifying signatures + SBOM |
| Regulation | EU Cyber Resilience Act 2024, US EO 14028, NIST SSDF |
When to Use
- Standing up a secure SDLC or paved road.
- Pre-release of a product subject to CRA, FedRAMP, or SOC 2.
- Post-incident (Log4Shell-class) supply-chain hardening.
- M&A: assessing acquired codebase risk.
Prerequisites
- CI able to produce and publish SBOMs and signed attestations.
- Artifact registry supporting OCI referrers (Sigstore, attestations).
- Policy decision point at admission (cluster, registry, or CI gate).
Instructions
flowchart LR
S[Source] --> B[Build w/ SLSA provenance]
B --> SB[Generate CycloneDX SBOM]
SB --> SC[Sign w/ cosign + Rekor]
SC --> R[Push to registry]
R --> A{Admission}
A -->|verify sig + SBOM + scorecard| K[Deploy]
A -->|fail| X[Block + alert]
K --> M[Continuous scan: OSV, license]
- Inventory. Generate SBOM on every build (Syft, cdxgen). Store in Dependency-Track for diffing and continuous CVE matching.
- Provenance. Emit SLSA v1.0 provenance via reusable workflows or Tekton Chains; sign with cosign keyless; log to Rekor.
- Health gates. Block dependencies below a Scorecard threshold (e.g. < 6.0) or unmaintained > 12 months. Pin and mirror critical OSS.
- License policy. Maintain allow/deny list (e.g. allow MIT/Apache-2.0/BSD; deny AGPL for SaaS); enforce via Conftest.
- Update cadence. Renovate with grouped weekly PRs, auto-merge for patch on green CI, escalate majors to ADR.
- Respond. SLA per severity (Critical 24h, High 7d). Track MTTR via Dependency-Track metrics.
permissions: { id-token: write, contents: read, attestations: write }
jobs:
build:
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
sbom:
steps:
- run: syft packages dir:. -o cyclonedx-json > sbom.cdx.json
- run: cosign attest --predicate sbom.cdx.json --type cyclonedx $IMAGE
# Conftest license policy
package licenses
deny[msg] {
pkg := input.components[_]
banned := {"AGPL-3.0", "SSPL-1.0"}
banned[pkg.licenses[_].license.id]
msg := sprintf("Banned license %s in %s", [pkg.licenses[_].license.id, pkg.name])
}
Common Pitfalls
| Pitfall | Mitigation |
|---|
| SBOM generated but never queried | Push to Dependency-Track; alert on new CVEs |
| Signature optional | Make verification mandatory at admission |
| Renovate PR storm ignored | Group + schedule + auto-merge patches |
| License scan in legal silo | Shift left into CI with Conftest |
| Forgotten transitive deps | Scan full graph; fail on indirect critical CVEs |
Output Format
- Per-artifact: SBOM (CycloneDX), SLSA provenance, cosign signature.
- Repo:
SECURITY.md, THIRD_PARTY_LICENSES, Renovate config, policy bundle.
- Org: Dependency-Track dashboard, Scorecard report, exception register.
Authoritative References
- SLSA v1.0 specification (slsa.dev).
- OpenSSF Scorecard and Best Practices Badge.
- CycloneDX 1.6 spec; SPDX 3.0 spec.
- NIST SP 800-218 SSDF; US Executive Order 14028.
- EU Cyber Resilience Act, Regulation (EU) 2024/2847.