Skip to content

Code Security Scanning Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to supported languages, repositories, or scanning platforms

Purpose

This policy defines security scanning expectations for code, dependencies, and repository configuration produced or maintained for customers.

Scope

This policy applies to application source, infrastructure-as-code, scripts, manifests, lockfiles, and repository settings under Cloudnaut control for customer engagements.

Policy

Customer-bound codebases are scanned with tooling appropriate to the language, repository host, and contract. Cloudnaut standard tooling includes GitHub Dependabot for supported GitHub repositories and Snyk for supported ecosystems, subject to customer repository policy and licensing.

Process

  1. Enable and maintain dependency and vulnerability alerting (Dependabot or equivalent) on supported GitHub repositories where permitted.
  2. Integrate Snyk for supported projects where customer and license terms allow.
  3. Review findings as part of the merge and release path prior to customer delivery.
  4. Remediate material findings or document risk acceptance with customer or engagement management approval when deferral is justified.
  5. Known critical issues are not delivered as final customer-facing releases unless the customer explicitly accepts the residual risk in writing.

Records

Typical evidence includes tool dashboards, exported reports, pull requests that remediate findings, and risk acceptance records.