| name | vulnerability-management |
| description | Enforces continuous vulnerability identification, assessment, and remediation for Black Trigram — Dependabot, npm audit, CodeQL, SLA-based patching, OSSF Scorecard ≥8.0, CycloneDX SBOM, aligned with Hack23 Vulnerability Management policy |
| license | MIT |
🔍 Vulnerability Management Skill
Strategic Principle: Continuously identify, assess, and remediate vulnerabilities before they become incidents.
🎯 Purpose
Enforce vulnerability management practices for Black Trigram, ensuring dependencies, code, and infrastructure are continuously scanned and vulnerabilities are remediated within defined SLAs.
Reference: Hack23 ISMS Vulnerability Management Policy
Enforcement Rules
Rule 1: Dependency Scanning
IF (adding or updating npm dependency)
THEN (run npm audit, check advisory database, verify license compatibility)
ELSE (unscanned dependencies introduce supply chain risk)
Rule 2: Remediation SLAs
IF (vulnerability severity is Critical) THEN (patch within 24 hours)
IF (vulnerability severity is High) THEN (patch within 72 hours)
IF (vulnerability severity is Medium) THEN (patch within 2 weeks)
IF (vulnerability severity is Low) THEN (patch within 30 days)
ELSE (document risk acceptance with justification)
Rule 3: OSSF Scorecard Maintenance
IF (OSSF Scorecard score drops below 8.0)
THEN (investigate and remediate failing checks)
ELSE (maintain continuous improvement toward 10.0)
Rule 4: SBOM Generation
IF (release build)
THEN (generate CycloneDX SBOM and publish as release artifact)
ELSE (supply chain transparency gap)
Rule 5: Code Scanning
IF (code change in PR)
THEN (CodeQL analysis must pass with zero high/critical findings)
ELSE (vulnerable code merged to main branch)
Vulnerability Sources
| Source | Scope | Automation |
|---|
| Dependabot | npm dependencies | Automatic PRs |
| npm audit | Package vulnerabilities | CI pipeline |
| CodeQL | Code vulnerabilities | PR checks |
| Secret Scanning | Exposed credentials | Continuous |
| OSSF Scorecard | Supply chain security | Scheduled |
| Lighthouse | Web security headers | Release builds |
Remediation Workflow
1. Detection
Automated scanning → Alert generated → Severity classified
2. Assessment
- Verify vulnerability applies to our usage
- Assess exploitability in our context
- Determine affected components
- Check for available patches
3. Remediation
- Apply patch/update dependency
- Run full test suite
- Verify fix with security scanning
- Document in changelog
4. Verification
- Confirm vulnerability resolved
- Check for regression
- Update SBOM
- Close security advisory
OSSF Scorecard Targets
| Check | Target | Current |
|---|
| Binary-Artifacts | 10 | Monitor |
| Branch-Protection | 10 | Monitor |
| Code-Review | 10 | Monitor |
| Dangerous-Workflow | 10 | Monitor |
| Dependency-Update-Tool | 10 | Monitor |
| License | 10 | Monitor |
| Maintained | 10 | Monitor |
| Pinned-Dependencies | 10 | Monitor |
| Security-Policy | 10 | Monitor |
| Signed-Releases | 10 | Monitor |
| Token-Permissions | 10 | Monitor |
| Vulnerabilities | 10 | Monitor |
npm Audit Integration
npm audit --audit-level=high
npm audit --package-lock-only
npm audit --json > audit-report.json
Testing Requirements
- ✅
npm audit passes with no high/critical vulnerabilities
- ✅ CodeQL analysis passes on all PRs
- ✅ Dependabot alerts addressed within SLA
- ✅ SBOM generated on releases
- ✅ OSSF Scorecard score ≥ 8.0
- ✅ License compliance verified (
npm run test:licenses)
Compliance
- ISO 27001:2022: A.8.8 (Management of technical vulnerabilities)
- NIST CSF 2.0: ID.RA (Risk Assessment), DE.CM (Continuous Monitoring)
- CIS Controls v8.1: 7 (Continuous Vulnerability Management)
- OWASP: A06:2021 Vulnerable and Outdated Components
- Hack23 ISMS: Vulnerability Management Policy
흑괘의 취약점 관리 - Vulnerability Management of the Black Trigram