Zum Inhalt springen
Resilience Platform Resilience Platform

Trust Center

Dependency Governance

Structured management of dependencies: lockfile management, SCA, update governance, and risk acceptance.

Back to Trust Center
Classification: Self-disclosure
Review Status: reviewed
Last Review: 2026-06-15
External Audit: no
Next Review: 2026-12-15
Owner: Engineering
Note: This content consists of implementation aids and curated guidance. It does not replace legal advice or binding supervisory interpretation.

Dependency Risks

Classification and assessment of risks from external dependencies in the software supply chain.

Supply Chain Risks

  • Compromised upstream packages (e.g., malware in npm/Packagist)
  • Dependency confusion attacks
  • Typo-squatting and brand jacking attacks
  • Unknown transitive dependencies

Technical Risks

  • Outdated or unmaintained libraries
  • Breaking changes in major updates
  • Incompatible license models
  • Lack of reproducibility due to non-reproducible builds

Lockfile Governance

Mandatory lockfile requirements to ensure deterministic and reproducible installations.

composer.lock

PHP
  • Must be committed to VCS
  • No manual editing of the lock file
  • Regular updates via composer update
  • Diff review on lockfile changes in PRs

package-lock.json

Node
  • Must be committed to VCS
  • No manual editing of the lock file
  • Regular updates via npm update
  • Integrity check via npm ci in CI/CD

Software Composition Analysis (SCA)

Automated security analysis of open-source dependencies using recognized tooling.

composer audit

PHP
  • Checks composer.lock against the FriendsOfPHP/advisory-db
  • Part of the CI pipeline: composer audit --format=json
  • Blocks build on critical (CVSS ≥ 9.0) advisory findings

npm audit

Node
  • Checks package-lock.json against the npm Security Advisory DB
  • Part of the CI pipeline: npm audit --audit-level=high
  • Escalates critical findings to the Security team

Update Strategy

Automated version management and update governance using Renovate and a structured PR process.

Renovate Bot

  • Automated dependency updates via renovate.json
  • Grouping of logically related updates
  • Auto-merge only for patch and minor updates with passing tests
  • Major updates require manual review by the Engineering team

PR Governance

  • Every dependency PR includes SCA result and changelog reference
  • At least one code review before merge
  • CI pipeline must be fully green
  • Changelog entry (keepachangelog) for breaking changes

Risk Acceptance Process

Formal process for accepting irresolvable or knowingly incurred dependency risks.

  1. 1
    Identification: SCA finding or manual risk entry in the Risk Register
  2. 2
    Assessment: Classification (CVSS, impact, likelihood) by the Security team
  3. 3
    Remediation Check: Is there a patch, workaround, or alternative? If not, proceed to acceptance.
  4. 4
    Acceptance: Formal risk acceptance by CISO or Engineering Lead with rationale, validity period, and mitigation plan
  5. 5
    Monitoring: Recurring review of accepted risks in the quarterly Risk Review Board

ISO 27001 Connection

Dependency Governance addresses ISO controls for supply chain security, threat analysis, and policy compliance.

  • A.5.1 — Information security policies
  • A.5.7 — Threat intelligence
  • A.5.36 — Compliance with policies and standards

ISO/IEC 27001:2022 dient als Kontrollanker und Management-System-Referenz. Die Verbindung zu ISO 27001 unterstützt integrierte Resilienz- und Sicherheitsprogramme.

Reifegrad

  1. 1 Initial

    Ad-hoc-Ansätze, keine formalen Prozesse

  2. 2 Defined

    Formale Prozesse definiert, aber nicht durchgängig umgesetzt

  3. 3 Implemented

    Prozesse vollständig umgesetzt und dokumentiert

  4. 4 Monitored

    Prozesse werden überwacht und gemessen

  5. 5 Optimized

    Kontinuierliche Verbesserung und Anpassung