Every third-party dependency (Python packages, npm modules, system libraries) must be scanned against known vulnerability databases (CVE, OSV) at every build. The scan should fail the pipeline if any dependency has a known critical or high-severity vulnerability without an approved exception.

Snyk, Dependabot, and pip-audit scan the project’s dependency tree and alert on vulnerable versions. OWASP Dependency-Check provides an open-source alternative with NIST NVD integration. The scanner runs on every commit and blocks merges if critical vulnerabilities are found. For vulnerabilities without available patches, the AI Governance Lead may approve a time-limited exception with documented justification and compensating controls.

Dependency scanning is essential for supply chain security. An AI system’s inference behaviour depends on the correctness of its entire dependency tree; a compromised library could alter model outputs, exfiltrate data, or introduce backdoors. The scan results are retained as Module 9 evidence, and the dependency vulnerability status is reviewed as part of the periodic security assessment.

Key outputs

• Dependency scanning tool configuration (Snyk, Dependabot, pip-audit, or OWASP)
• CI pipeline integration with merge blocking on critical/high vulnerabilities
• Exception approval process for unpatched vulnerabilities
• Module 9 AISDP evidence