qa-sca

Adversarial prioritizer of multi-tool SCA findings (Snyk + OSV-Scanner + npm/pip/maven audit). Combines per-CVE signals - CVSS base score (severity), EPSS exploitability score (probability of exploitation), CISA KEV (Known Exploited Vulnerabilities catalog), and reachability heuristic (is the vulnerable function actually called?) - into a priority bucket: Fix-Now / Fix-This-Sprint / Fix-Backlog / Accept-Risk. Refuses to skip critical CVEs without justification. Refuses waivers without `expires:` + `approved_by:` + `reason:`. Use after any subset of the SCA scanners runs in CI.

Installs and runs bundler-audit against a Ruby Gemfile.lock, updating the ruby-advisory-db advisory corpus, scanning for vulnerable gem versions and insecure sources, suppressing false positives via .bundler-audit.yml with justification requirements, and gating CI on non-zero exit. Use when a Ruby project needs dedicated Gemfile.lock SCA beyond the single-ecosystem touch bundler-audit receives in npm-pip-maven-audit.

Configures and runs cargo-audit against the RustSec Advisory Database for Rust projects; covers `cargo audit` (vulnerability scan), `cargo audit fix` (automated dependency updates), `--deny unmaintained|unsound|yanked|warnings` exit-code control, `audit.toml` per-advisory suppression with mandatory `expires` + `reason`, SARIF output for GitHub Code Scanning upload, and `rustsec/audit-check` GitHub Actions integration. Use when the codebase has a Cargo.lock and needs Rust-specific SCA beyond what the multi-ecosystem npm-pip-maven-audit wrapper provides.

Reference for `.github/dependabot.yml` - GitHub-native dependency-update orchestrator. Required keys (`version: 2`, `updates[]` array) plus per-update fields (`package-ecosystem`, `directory` / `directories`, `schedule.interval`); common optional fields (`ignore`, `groups`, `allow`, `labels`, `milestone`, `open-pull-requests-limit`, `target-branch`, `vendor`, `versioning-strategy`, `assignees`, `commit-message`); auto-rebase + grouped-PR + security-only updates. Use when authoring or reviewing Dependabot configs in GitHub-hosted repos.

Configures and runs native package-manager audit commands across ecosystems - `npm audit --audit-level=high` (npm), `yarn npm audit` (Yarn 2+), `pnpm audit` (pnpm), `pip-audit` (Python via PyPA), `mvn dependency:check` (Maven via OWASP Dependency-Check plugin), `cargo audit` (Rust), `bundle audit` (Ruby Bundler); fastest no-install-required SCA option. Use when the team wants fast, no-extra-tooling SCA in CI as a first line of defense, or pairs with snyk/osv-scanner for layered coverage.

Configures and runs Google OSV-Scanner - open-source SCA against the OSV.dev vulnerability database; supports `osv-scanner scan -r ./` recursive scan + per-lockfile scan via `-L package-lock.json`; SBOM input (CycloneDX / SPDX) for non-standard package managers; `--format json|sarif|markdown|vertical|html` output; suppressions via `osv-scanner.toml` config. Use when the team needs OSS-native SCA without commercial-license overhead, or wants a second-opinion DB pair with Snyk's commercial DB.