Skip to content

Vulnerability Scan

Purpose

This document provides evidence of periodic vulnerability scanning across Onramp's production repositories. It captures findings from the most recent scans, highlights identified vulnerable assets, and demonstrates adherence to security controls for audit purposes.

Ownership

Responsible Team: Engineering Primary Owner: VP of Engineering - Jacob Ditslear Secondary Owner: Staff Engineer - Kevin Mulcrone Reviewer: Chief Operating Officer - Nick Delozier

Frequency & History

Vulnerability scans should be conducted at least quarterly. This document should be updated after each scan cycle.

Version History

Date Reviewer Summary of Changes
YYYY-MM-DD NAME Initial creation

Scan Scope

Repository Description Scan Tool(s) Scan Frequency
onramp (e.g. Snyk, Dependabot, GitHub Advanced Security) Quarterly
trunk (e.g. Snyk, Dependabot, GitHub Advanced Security) Quarterly

Onramp Repository

Most Recent Scan

Field Details
Scan date YYYY-MM-DD
Tool / platform
Branch scanned
Scan type (e.g. dependency, SAST, container, infrastructure)
Total findings
Critical / High
Medium / Low

Evidence Collection Instructions

  1. Navigate to the vulnerability scanning dashboard for the onramp repository
  2. Capture a screenshot of the most recent scan results
  3. The screenshot should include:
  4. Scan date and repository name
  5. Summary of findings by severity (critical, high, medium, low)
  6. List of identified vulnerable assets or dependencies
  7. Remediation status where visible
  8. Be sure the date is visible in the screenshot (top-right of mac)

Evidence

Screenshot 1 — Scan Summary

Description: Replace with a brief description (e.g. "Snyk scan results for onramp repository showing 0 critical vulnerabilities")

Onramp Scan Summary Captured on YYYY-MM-DD — Description of what the screenshot shows.

Screenshot 2 — Findings Detail (if applicable)

Description: Replace with a brief description (e.g. "Detailed view of medium-severity findings in onramp dependencies")

Onramp Scan Detail Captured on YYYY-MM-DD — Description of what the screenshot shows.

Findings Summary

Vulnerability / CVE Severity Affected Asset Status Remediation Target
(Open / Mitigated / Accepted)

Trunk Repository

Most Recent Scan

Field Details
Scan date YYYY-MM-DD
Tool / platform
Branch scanned
Scan type (e.g. dependency, SAST, container, infrastructure)
Total findings
Critical / High
Medium / Low

Evidence Collection Instructions

  1. Navigate to the vulnerability scanning dashboard for the trunk repository
  2. Capture a screenshot of the most recent scan results
  3. The screenshot should include:
  4. Scan date and repository name
  5. Summary of findings by severity (critical, high, medium, low)
  6. List of identified vulnerable assets or dependencies
  7. Remediation status where visible
  8. Be sure the date is visible in the screenshot (top-right of mac)

Evidence

Screenshot 1 — Scan Summary

Description: Replace with a brief description (e.g. "Snyk scan results for trunk repository showing 2 medium vulnerabilities")

Trunk Scan Summary Captured on YYYY-MM-DD — Description of what the screenshot shows.

Screenshot 2 — Findings Detail (if applicable)

Description: Replace with a brief description (e.g. "Detailed view of findings in trunk dependencies")

Trunk Scan Detail Captured on YYYY-MM-DD — Description of what the screenshot shows.

Findings Summary

Vulnerability / CVE Severity Affected Asset Status Remediation Target
(Open / Mitigated / Accepted)

Compliance Summary

Repository Last Scan Date Critical / High Open Medium / Low Open Overall Status
onramp YYYY-MM-DD Compliant / Partially Compliant / Non-Compliant
trunk YYYY-MM-DD Compliant / Partially Compliant / Non-Compliant

Overall Assessment

Provide an overall compliance status (Compliant / Partially Compliant / Non-Compliant) and a brief narrative summarizing the vulnerability posture across both repositories. Note any open critical/high findings and their remediation timelines.

Sign-Off

Role Name Date Signature
Primary Owner
Secondary Owner
Reviewer