The CI pipeline does not scan for known-CVE transitive dependencies. The 1.13 security audit reviewed the runtime dependency inventory manually and found none, but an automated gate keeps that true across updates.
Add an OWASP Dependency-Check (or equivalent) job to ci.yml, failing on high-severity advisories in the compile-scope dependency graph. Test and provided scope (Spring Boot, Jackson, drivers) are the user's responsibility and can be excluded or reported non-failing.
Also consider (lower priority): pinning the first-party GitHub Actions (actions/*, gradle/*, codecov/*) to commit SHAs rather than major-version tags, for supply-chain defense on the release workflows.
The CI pipeline does not scan for known-CVE transitive dependencies. The 1.13 security audit reviewed the runtime dependency inventory manually and found none, but an automated gate keeps that true across updates.
Add an OWASP Dependency-Check (or equivalent) job to ci.yml, failing on high-severity advisories in the compile-scope dependency graph. Test and provided scope (Spring Boot, Jackson, drivers) are the user's responsibility and can be excluded or reported non-failing.
Also consider (lower priority): pinning the first-party GitHub Actions (
actions/*,gradle/*,codecov/*) to commit SHAs rather than major-version tags, for supply-chain defense on the release workflows.