This artefact comprises the results from dependency scanning, licence compliance scanning, secret detection, and container vulnerability scanning. Each scan result is timestamped and linked to the pipeline execution that produced it.

Alongside the scan results, remediation records document how identified vulnerabilities were addressed. For each vulnerability, the record captures the vulnerability identifier (CVE or equivalent), the severity, the affected component, the remediation action (patch, upgrade, replacement, or exception), the date of remediation, and the identity of the person who performed or approved the remediation.

For vulnerabilities that were accepted through the exception process, the remediation record includes the exception justification, the compensating controls, and the expiry date. The collection of scan results and remediation records demonstrates proactive security management to assessors and regulators, showing that vulnerabilities are identified, tracked, and resolved systematically.

Key outputs

• Security scan result archive across all pipeline executions
• Remediation records per identified vulnerability
• Exception records with justification and expiry
• Module 9 AISDP evidence