Supply chain attacks target your dependencies rather than your code. An attacker who compromises a popular npm package or PyPI library can execute arbitrary code in every application that installs it. The log4shell and XZ Utils incidents demonstrated that even deeply embedded infrastructure dependencies can be compromised.
The CI Gate Pattern
The effective pattern is: run a dependency vulnerability scanner as a blocking step in your CI pipeline. If a dependency with a known critical or high CVE is detected, the build fails and the PR cannot merge. This turns dependency hygiene from a "we should look at that someday" process into an automatic gate.
# GitHub Actions example
- name: Python dependency audit
run: |
pip install pip-audit
pip-audit --require-hashes -r requirements.txt
- name: Node dependency audit
run: npm audit --audit-level=highpip-audit vs safety vs Snyk
pip-audit (from PyPA) checks against the OSV database and is free, fast, and accurate for Python dependencies. For Node.js, npm audit is built in and free. Snyk and Dependabot add noise reduction, PR automation, and broader ecosystem coverage but are not necessary to start.
SBOM Generation
A Software Bill of Materials (SBOM) is a machine-readable inventory of every component in your software. Generating an SBOM diff on every release gives you a clear record of what changed between versions — useful for incident response, useful for compliance, and increasingly required for government procurement.
G8KEPR generates a SBOM diff attached to every GitHub release using syft. When a new CVE is published, we can immediately determine whether any of our released versions are affected, rather than scanning retroactively.
Transitive dependencies are where most vulnerabilities hide. A direct dependency with no known CVEs may have a transitive dependency with a critical one. Make sure your scanner resolves the full dependency tree, not just direct dependencies.