Skip to content

Quarterly Dependency & Governance Review – 2026-07-01 #38

Description

@github-actions

Quarterly Dependency & Governance Audit

Base Images

  • Verify ubuntu:24.04 build stack is on latest patch
  • Verify gcr.io/distroless/cc:nonroot run stack digest
  • Check for upstream distroless CVE advisories

Buildpacks & Lifecycle

  • Review Paketo Java buildpack release notes
  • Review CNB lifecycle release notes
  • Validate builder.toml versions are current

GitHub Actions

  • Audit all pinned action SHAs against latest releases
  • Review Dependabot / Renovate PR backlog

Supply Chain

  • Review OSSF Scorecard results
  • Check Trivy scan history for recurring findings
  • Verify SBOM generation is operational

Samples

  • Confirm Spring Boot version is current
  • Confirm JDK version aligns with project policy

Auto-generated by Dependency Policy Review workflow on 2026-07-01

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions