Dependency Management and SBOM

Overview

The Dependencies page provides a complete Software Bill of Materials (SBOM) for your connected repositories. View all direct and transitive dependencies, identify vulnerable packages, and track remediation.

SBOM (Software Bill of Materials)

What is SBOM?

An SBOM is an inventory of all software components:

• Direct dependencies
• Transitive dependencies
• Versions
• Licenses
• Vulnerabilities

Generating SBOMs

1. Connect Repository

   Link your code repositories via VCS integration.

2. Scan

   Bastion analyzes package manifests.

3. Generate

   SBOM generated in standard format.

4. Monitor

   Continuous monitoring for changes.

SBOM Formats

Format	Description
SPDX	Linux Foundation standard
CycloneDX	OWASP standard
JSON	Custom JSON format

Dependency Scanning

What We Scan

Ecosystem	Manifest Files
JavaScript/Node	package.json, package-lock.json, yarn.lock
Python	requirements.txt, Pipfile, pyproject.toml
Java	pom.xml, build.gradle
Go	go.mod, go.sum
Ruby	Gemfile, Gemfile.lock
PHP	composer.json, composer.lock
Rust	Cargo.toml, Cargo.lock
C#/.NET	*.csproj, packages.config

Scan Process

1. Parse manifest files
2. Resolve all dependencies (including transitive)
3. Check against vulnerability databases
4. Calculate risk scores
5. Generate reports

Vulnerability Sources

Source	Coverage
NVD	National Vulnerability Database
GitHub Advisory	GitHub Security Advisories
OSV	Open Source Vulnerability Database
Vendor Advisories	Direct from maintainers

Viewing Results

Dependencies Table

View all dependencies with a toggle to show only those with vulnerabilities:

Column	Description
Name	Package name
Version	Installed version
Latest	Latest available
License	Package license
Vulnerabilities	CVE count
Direct/Transitive	Dependency type

Vulnerability Details

Click on a vulnerability:

• CVE ID and description
• Severity (CVSS score)
• Affected versions
• Fixed version
• Remediation guidance

Remediation

Upgrade Dependencies

To fix vulnerabilities:

1. Review vulnerability details
2. Check fixed version compatibility
3. Update package manifest
4. Test changes
5. Deploy update
6. Verify fix

Remediation Workflow

Action	When to Use
Upgrade	Fixed version available
Replace	Alternative package exists
Patch	Apply security patch
Accept	Risk accepted (documented)

Pull Request Integration

Bastion can create PRs:

1. Enable auto-PR in settings
2. Configure target branches
3. Bastion creates PRs for fixes
4. Review and merge

License Compliance

License Detection

Detect licenses in dependencies:

• MIT, Apache, GPL, BSD, etc.
• License compatibility checking
• Policy enforcement

License Policies

Define acceptable licenses:

1. Go to Settings → License Policy
2. Add allowed licenses
3. Add restricted licenses
4. Enable enforcement

License Violations

When restricted license detected:

• Alert generated
• Issue created
• Blocking (optional)

Monitoring

Continuous Scanning

Scans run:

• On each commit (if webhooks enabled)
• Daily scheduled scan
• Manual trigger via the Rescan button

Alerts

Configure alerts for:

Alert Type	Trigger
New Critical	Critical CVE discovered
New High	High-severity CVE
New Dependency	Dependency added
License Violation	Restricted license

Reporting

Security Reports

Generate reports:

• Vulnerability summary
• Dependency inventory
• License compliance
• Trend analysis

Compliance Evidence

SBOM documentation supports:

Framework	Requirement
SOC 2	CC7.1
ISO 27001	A.14.1.2
HIPAA	§164.312(e)

Best Practices

Keep Dependencies Updated

Regular updates prevent vulnerability accumulation. Automate where possible.

Minimize Dependencies

Fewer dependencies = smaller attack surface. Regularly audit necessity.

Lock Versions

Use lock files to ensure reproducible builds and prevent supply chain attacks.

Monitor All Repositories

Include all repositories, even internal tools and scripts.

Next Steps

Code Security

Scan repositories for security issues

VCS Integration

Configure version control integration