The PCI Software Security Framework (launched January 2019) now requires continuous security monitoring of open source components in payment software. This is not just a checkbox exercise—it's a fundamental shift in how you build and deploy code that interacts with cardholder data.
Here's the problem: 37% of open source developers don't implement any security testing during their CI process. If you're handling payment data, you can't be in that 37%. The PCI Security Standards Council has made developers directly accountable for the security of their dependencies, which means your CI/CD pipeline needs to catch vulnerabilities before they reach production.
This playbook guides you through integrating open source security scanning into your existing pipeline. You'll get specific commands, tool configurations, and validation steps—not theory.
What You Need Before Starting
Pipeline Access and Permissions:
- Write access to your CI/CD configuration files (Jenkins, GitLab CI, GitHub Actions, CircleCI, etc.)
- Ability to add build steps and fail builds based on security criteria
- API tokens for your chosen scanning tool
Tool Selection: Choose a Software Composition Analysis (SCA) tool that can:
- Scan dependency manifests (package.json, requirements.txt, pom.xml, go.mod)
- Check against vulnerability databases in real-time
- Provide actionable remediation guidance
- Generate compliance reports for PCI SSF audits
Baseline Inventory: Before you start scanning, document what you're scanning:
- List all repositories that handle payment data
- Identify which package managers you use (npm, pip, Maven, Go modules)
- Note your current dependency update cadence
Failure Threshold Decision: Decide what breaks your build. Common starting points:
- Any critical or high-severity vulnerability with a known exploit
- Any vulnerability in a direct dependency (not transitive)
- Any vulnerability older than 90 days without a fix applied
Don't set the bar so high that every build fails and developers start bypassing the check.
Step-by-Step Implementation
Phase 1: Add Scanning to One Repository
Start with a non-critical repository to iterate on the configuration before rolling it out.
For GitHub Actions:
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run dependency scan
run: |
npm install -g snyk
snyk auth ${{ secrets.SNYK_TOKEN }}
snyk test --severity-threshold=high
- name: Monitor for new vulnerabilities
if: github.ref == 'refs/heads/main'
run: snyk monitor
For Jenkins:
stage('Security Scan') {
steps {
script {
sh 'snyk test --severity-threshold=high --json > snyk-results.json'
def results = readJSON file: 'snyk-results.json'
if (results.vulnerabilities.size() > 0) {
error("Security vulnerabilities found")
}
}
}
}
For GitLab CI:
security_scan:
stage: test
script:
- snyk test --severity-threshold=high
only:
- merge_requests
- main
Phase 2: Configure Developer Notifications
Developers need to see results immediately, not after a build fails.
Set up Pull Request Comments: Most SCA tools can comment directly on PRs with vulnerability details. Enable this in your tool's integration settings. The comment should show:
- Which dependency introduced the vulnerability
- The CVE identifier
- Available fix version
- Whether the vulnerability is exploitable in your context
Create a Slack Webhook for Failed Scans:
# Add to your CI script
if [ $SCAN_EXIT_CODE -ne 0 ]; then
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"Security scan failed in '"$REPO_NAME"' - '"$BUILD_URL"'"}' \
$SLACK_WEBHOOK_URL
fi
Phase 3: Implement Continuous Monitoring
The PCI SSF requires ongoing monitoring, not just point-in-time scans.
Set up Scheduled Scans for Deployed Applications:
# GitHub Actions scheduled scan
name: Weekly Dependency Audit
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9 AM
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: snyk monitor --org=payment-systems
This creates a snapshot of your production dependencies and alerts you when new vulnerabilities are disclosed.
Phase 4: Create Exception Workflow
Not every vulnerability requires immediate action. You need a documented process for risk acceptance.
Create a .snyk Policy File in Your Repository:
# .snyk policy file
version: v1.22.0
ignore:
'SNYK-JS-MINIMIST-559764':
- '*':
reason: 'Vulnerability in dev dependency only, not in production bundle'
expires: '2024-06-01T00:00:00.000Z'
created: '2024-03-15T00:00:00.000Z'
Every exception must have:
- A specific reason tied to your architecture
- An expiration date (maximum 90 days)
- Approval from your security team (track in your ticketing system)
Phase 5: Roll Out to All Payment-Related Repositories
Start with repositories that directly process payment data, then expand to:
- Authentication services
- Session management
- Any service that can access cardholder data environment
Use branch protection rules to enforce the scan:
Settings → Branches → Branch protection rules
☑ Require status checks to pass before merging
☑ Require branches to be up to date before merging
Required checks: security_scan
Validation - How to Verify It Works
Test 1: Introduce a Known Vulnerability
Add an old version of a package with a known CVE:
{
"dependencies": {
"lodash": "4.17.15" // Has CVE-2020-8203
}
}
Your scan should fail the build and report the specific CVE.
Test 2: Verify Pull Request Blocking
Create a PR with the vulnerable dependency. The PR should show a failed status check and block merging (if you configured branch protection).
Test 3: Check Monitoring Alerts
Wait 24 hours after running snyk monitor. Log into your SCA tool's dashboard and verify your application appears in the monitored projects list.
Test 4: Validate Exception Workflow
Add a .snyk policy file with an ignore rule. Re-run the scan. The previously-failing vulnerability should now pass with a note about the policy exception.
Maintenance and Ongoing Tasks
Weekly:
- Review new vulnerability alerts from your monitoring system
- Triage: exploit available? Direct or transitive dependency? Fix available?
- Create tickets for vulnerabilities requiring updates
Monthly:
- Audit your
.snykpolicy files for expired exceptions - Review false positive rate—if developers are ignoring scan results, your thresholds are wrong
- Update your SCA tool's vulnerability database (most update automatically)
Quarterly:
- Generate compliance reports from your SCA tool for PCI SSF audits
- Review your failure thresholds—adjust based on your team's capacity to remediate
- Train new developers on the security scan workflow
Before Every Audit:
- Export a list of all monitored projects
- Document your exception approval process
- Show evidence of remediation for high-severity findings (closed tickets, updated dependencies)
The PCI SSF doesn't just ask "do you scan dependencies?"—it asks "can you prove continuous monitoring?" Your CI/CD logs, monitoring dashboards, and remediation tickets are your evidence. Set up the automation now, and the compliance documentation writes itself.
