Skip to main content
Version: v4.2.25

Security Monitoring

InvenTag implements comprehensive security monitoring to continuously assess and track the security posture of the codebase and its dependencies.

Monitoring Components

Automated Vulnerability Scanning

  • Multi-language scanning for Python and JavaScript/Node.js
  • Weekly scheduled scans to detect new vulnerabilities
  • Push and PR triggers for immediate security feedback
  • Multiple scanning tools for comprehensive coverage

Dependency Monitoring

  • Real-time tracking of all project dependencies
  • Automated alerts for vulnerable dependencies
  • License compliance monitoring
  • Supply chain security assessment

Security Workflow Integration

  • SBOM generation with every documentation build
  • CVE tracking between versions
  • Automated issue creation for high-severity findings
  • Security changelog generation

Monitoring Tools

Python Security

  • Bandit: Static analysis for Python security issues
  • Safety: Known vulnerability database checking
  • pip-audit: Advanced dependency vulnerability analysis

JavaScript/Node.js Security

  • npm audit: Node.js dependency vulnerability scanner
  • Retire.js: JavaScript library vulnerability detection
  • ESLint Security: Code-level security analysis

Multi-Language Analysis

  • Semgrep: Cross-language static analysis
  • Trivy: Comprehensive vulnerability scanning
  • Grype: Container and dependency scanning

Infrastructure Security

  • GitHub Actions workflow security analysis
  • Container configuration security scanning
  • Secrets detection across all files

Alert Thresholds

High Priority Alerts

  • Critical vulnerabilities (CVSS 9.0+)
  • High-severity issues (CVSS 7.0+)
  • More than 20 total findings across all tools

Medium Priority Monitoring

  • Medium-severity vulnerabilities (CVSS 4.0-6.9)
  • 10-20 total findings requiring review
  • License compliance issues

Continuous Monitoring

  • Low-severity issues for trending analysis
  • New dependency additions for approval
  • Configuration changes affecting security

Monitoring Frequency

Continuous (Every Push/PR)

  • SBOM generation with documentation builds
  • Security scanning on code changes
  • Dependency analysis on package updates

Weekly Scheduled

  • Comprehensive vulnerability scan every Sunday
  • SBOM and CVE tracking workflow
  • Security changelog updates

Release-Based

  • Version-specific SBOM generation
  • Security impact analysis between versions
  • Compliance documentation updates

Response Procedures

High-Severity Findings

  1. Automated issue creation with detailed information
  2. Security team notification via GitHub alerts
  3. Priority assignment for rapid response
  4. Remediation tracking until resolution

Regular Findings

  1. Documentation updates with findings
  2. Security artifact retention for analysis
  3. Trend analysis for proactive management
  4. Scheduled review during development cycles

Security Artifacts

Generated Reports

  • Security scan results in multiple formats
  • SBOM files for compliance and analysis
  • Vulnerability reports with detailed findings
  • Security changelogs between versions

Retention Policies

  • Security artifacts: 365 days for compliance tracking
  • SBOM files: Permanent retention for historical analysis
  • Scan reports: 90 days for operational review

Integration Points

GitHub Actions

  • Automated workflows for security scanning
  • Artifact collection and retention
  • Status reporting and alerting

Documentation System

  • Real-time SBOM integration
  • Security status in documentation
  • Historical tracking of security posture

Development Workflow

  • PR security checks before merging
  • Pre-deployment scanning for releases
  • Continuous feedback to development team

Security monitoring is an integral part of InvenTag's development and deployment process, ensuring continuous visibility into the security posture of the project.