Rules Hub

Coding Rules Library

← Back to all rules

Rule priority, scope & exceptions

Use this to align rules with the senior-level structure (P0/P1/P2, scope, exceptions/tradeoffs).

PriorityP1 — maintainability, architecture, long-term qualityScopeUniversal — language-agnostic, broadly applicable

Exceptions / tradeoffs (EN)Iznimke / tradeoffi (HR)

fullstack ruleP1universalStack: general

supply-chaindependenciesvulnerability-scanningciowasp-a06audit

Audit dependencies for known vulnerabilities as a CI gate

Run a dependency vulnerability audit in CI that fails on high/critical advisories; if you silence audit at install time, ensure a real audit runs elsewhere.

PR: owasp-security-canonCreated: Jun 17, 2026

Bad example

Old codejson

1	`# .npmrc silences install-time audit for cleaner logs...`
2	`audit=false`
3
4	`# ...and there is NO audit step anywhere in CI.`
5	`# Result: a transitive dep with a published critical CVE`
6	`# (e.g. a prototype-pollution or RCE advisory) ships to prod`
7	`# and nobody is alerted until it is exploited.`

Explanation (EN)

`audit=false` is a reasonable way to keep install output clean, but with no compensating scan the project has zero visibility into known-vulnerable dependencies. Known CVEs in transitive packages (OWASP A06) are among the easiest things for attackers to find and the easiest for teams to miss.

Objašnjenje (HR)

`audit=false` je razuman nacin da install izlaz bude cist, ali bez kompenzacijskog skeniranja projekt nema nikakav uvid u poznato ranjive ovisnosti. Poznati CVE-i u tranzitivnim paketima (OWASP A06) su medu najlaksim stvarima koje napadaci nadu i koje timovi najlakse propuste.

Good example

New codejson

1	`# CI step — dedicated audit gate that fails on high+ severity`
2	`pnpm audit --audit-level=high`
3
4	`# or with a managed scanner:`
5	`# - Dependabot / Renovate alerts enabled on the repo`
6	`# - snyk test --severity-threshold=high`
7
8	`# Keeping audit=false in .npmrc for clean installs is then fine,`
9	`# because the CI gate provides the real signal and blocks the merge.`

Explanation (EN)

A dedicated `pnpm audit --audit-level=high` step (or Snyk/Dependabot) turns vulnerability detection into a merge-blocking gate, so a known-critical advisory stops the pipeline instead of reaching production. Silencing install-time audit is then a cosmetic choice, not a security gap.

Objašnjenje (HR)

Namjenski korak `pnpm audit --audit-level=high` (ili Snyk/Dependabot) pretvara detekciju ranjivosti u gate koji blokira merge, pa poznati kriticni advisory zaustavi pipeline umjesto da dospije u produkciju. Stisavanje audita pri instalaciji je tada kozmeticka odluka, ne sigurnosni propust.

Exceptions / Tradeoffs (EN)

Audits produce false positives and unfixable transitive advisories; triage with an allowlist of reviewed advisory IDs (with expiry) rather than disabling the gate entirely. Pin the audit level (high/critical) to avoid alert fatigue from low-severity noise.

Iznimke / Tradeoffi (HR)

Auditi proizvode false positive i nepopravljive tranzitivne advisoryje; trijaziraj s allowlistom pregledanih advisory ID-eva (s istekom) umjesto da potpuno iskljucis gate. Fiksiraj razinu audita (high/critical) da izbjegnes zamor od low-severity buke.

Login required