Security: Vulnerability Management¶
This page documents how the library implements the monitoring and mitigation controls from §4.3 and §4.4 of the ENISA Technical Advisory for Secure Use of Package Managers.
Automated Scanning¶
Partially aligns with ENISA TA §4.3.1 (SBOM-driven Monitoring) and §4.3.2 (Automated Scanning in CI/CD).
Workflow Files — zizmor and actionlint¶
Every pull request against this repository runs zizmor with the pedantic persona and actionlint via the smoke tests. This continuously scans the workflow definitions themselves for injection risks, excessive permissions, and unpinned references.
Action Dependencies — Renovate¶
Renovate monitors all uses: references in
.github/workflows/ and opens pull requests when new versions with security fixes are
available. It correlates the GitHub Advisory Database
(via the repository's Dependabot alerts) and OSV.dev, which aggregate
CVEs from multiple upstream sources.
SBOM-driven Monitoring¶
This library ships workflow definitions, not container images, and does not produce or
consume SBOMs — §4.3.1 is a tracked gap. Callers that build images via
release-container.yaml get a keyless build-provenance attestation on every pushed image
and can add SBOM generation and image CVE scanning in their own release pipeline.
Tracked gaps
Two automation gaps are tracked as future improvements: scanning of the full action
dependency graph, and a CVE scanning gate for container images built by release-container.yaml.
Advisory Monitoring¶
Implements ENISA TA §4.3.3 (Track CVEs/Advisories), §4.3.5 (Set Alerts).
The following advisory sources are checked as part of the quarterly security review:
| Source | Scope | How to check |
|---|---|---|
| GitHub Advisory Database | Actions and their dependencies | Dependabot alerts in repository Security tab |
| ENISA EU Vulnerability Database (EUVD) | EU-specific CVE aggregation | Manual review quarterly |
| OSV.dev | Open source packages across ecosystems | Manual osv-scanner run |
| CISA KEV Catalog | Known actively exploited vulnerabilities | Manual review quarterly |
For immediate alerts, GitHub Dependabot security alerts are enabled in repository settings. Maintainers receive notifications for new HIGH/CRITICAL findings.
EUVD/CSAF automated ingestion — tracked gap
Automated ingestion of ENISA EUVD or CSAF (Common Security Advisory Framework) machine-readable feeds is tracked as a future improvement for fully automated advisory correlation.
Assessment¶
Implements ENISA TA §4.4.1 (Assess).
When a vulnerability is identified, assess it using the following metrics before deciding on priority and mitigation:
| Metric | Description | Source |
|---|---|---|
| CVSS | Base severity score (0–10) and attack vector | NVD / advisory |
| KEV | Is this CVE in CISA's Known Exploited Vulnerabilities catalog? | cisa.gov/kev |
| Reachability | Is the vulnerable code path actually reachable in our use? | Manual review |
Assessment steps:
- Retrieve the CVSS score and vector from the NVD or the GitHub advisory.
- Check whether the CVE is in the CISA KEV catalog.
- Determine reachability: does this library's usage invoke the vulnerable code path? If the vulnerable function is never called, document this in the issue.
Prioritisation¶
Implements ENISA TA §4.4.2 (Prioritise).
Use the following thresholds to determine response speed:
| Priority | Criteria | Target Response |
|---|---|---|
| Critical | CVSS ≥ 9.0 or in CISA KEV catalog | Fix or mitigate within 48 hours |
| High | CVSS 7.0–8.9 | Fix or mitigate within 7 days |
| Medium | CVSS 4.0–6.9 | Address in next planned release cycle |
| Low | CVSS < 4.0, not reachable | Track; address opportunistically |
For Critical and High findings the cooldown does not apply: Renovate raises vulnerability-driven PRs immediately instead of waiting for the 7-day cooldown to elapse.
If reachability analysis confirms the vulnerable code path is not exercised by this library, the effective priority may be reduced one level and documented as such in the tracking issue.
Mitigation Steps¶
Implements ENISA TA §4.4.3 (Mitigate).
For actions (third-party uses: references)¶
- Update the SHA pin — Open a PR updating the
uses:SHA to the patched version. If Renovate has already opened such a PR, expedite its review. - Assess impact while updating — If the new version introduces breaking changes, document the migration path in the PR.
- Temporary mitigation — If no patched version is available, evaluate whether the workflow can be temporarily disabled or replaced with an alternative action.
- Remove if irreparable — If the action is abandoned and the vulnerability is critical, remove it and implement the step inline or replace with a maintained alternative.
Emergency response¶
For Critical findings (CVSS ≥ 9.0 or KEV):
- If the vulnerability is in an action currently used in a running workflow, consider temporarily disabling the workflow until the fix is in place.
- Notify dependent repositories by opening a GitHub Security Advisory draft in this repository.
- Fast-track a patch release following the normal PR → semantic-release flow with a
fix:commit prefix (or aBREAKING CHANGE:footer if the fix changes caller behavior).
Because every potos repository consumes its pipelines from this library, a single fix here propagates to the whole organization via the Renovate pin updates in the consuming repositories.
Notification¶
Implements ENISA TA §4.4.4 (Document & Notify).
When a vulnerability is fixed in this library:
- Release notes — Include the CVE ID and affected component in the release notes
generated by go-semantic-release. Use a
fix:commit prefix. - GitHub Security Advisory — For Critical/High vulnerabilities that affect callers, publish a GitHub Security Advisory in this repository. This triggers Dependabot alerts — and the corresponding Renovate update PRs — in all caller repositories that depend on this library.
- Tracking issue — Keep a GitHub issue open for the duration of the vulnerability
lifecycle. Label it
securityand link it to the relevant Dependabot alert or advisory.
Attribution¶
Controls in this page are derived from the ENISA Technical Advisory for Secure Use of Package Managers, v1.1, March 2026. Licensed under CC BY 4.0.