Skip to content

System Protection and Maintenance

Vulnerability Management

A central dependency tracing system system is provided.

Services can integrate with the system and upload automatic SBOMs. The ansible/roles/sbomclient role can be used to upload an SBOM and install a regular task to upload SBOMs. The role uses cdxgen with osquery plugins to scan the full operating system.

The dependency tracing system automatically scans all sboms for vulnerabilities. It currently mirrors the NIST NVD feed.

Automatic alerting can be configured by service teams. Currently a manual approach is used where vulnerability scans are investigated daily.