Leadline Inc.Control Requirements
CM-17: Vulnerability Detection Before Production Release
Vulnerability scanning or peer review of source code before production deployment with critical issue remediation
Control Description
Option 1: Scans are performed on in-scope application source code to detect potential vulnerabilities prior to the release of each change into the production environment. All critical items must be remediated prior to each change being moved into the production environment.
Option 2: A peer review is performed on each in-scope application source code change to detect potential vulnerabilities prior to migration into the production environment. Any critical issues identified as a result of the review must be resolved prior to the change being moved into the production environment.
Option 3: The version control system is configured to automatically scan in-scope application source code for vulnerabilities as source code is checked in to the library.
Plain Meaning
Before any code can be deployed to production, you must check it for security vulnerabilities. You can do this in three ways: 1) Use automated tools to scan the code for known security problems, 2) Have another developer review the code for security issues, or 3) Set up automatic scanning whenever code is committed to your repository. Any critical security problems found must be fixed before the code goes live.
Implementation
Comprehensive Vulnerability Detection Pipeline
Pre-commit Hooks with Biome Security Rules
# lefthook.yml
pre-commit:
commands:
format:
run: pnpm format:fix
lint:
run: pnpm lint:fix
add-changes-to-index:
run: git add .
commit-msg:
parallel: true
commands:
commitlint:
run: pnpm commitlint
spell-check:
run: pnpm dlx cspell {1}
pre-push:
commands:
build:
run: pnpm build
fail_text: |
The build process failed.
To correct the commit, please run the following command:
git reset --soft HEAD^Biome Configuration with Security Rules
// biome.json
{
"$schema": "https://biomejs.dev/schemas/1.5.3/schema.json",
"vcs": {
"enabled": true,
"clientKind": "git",
"useIgnoreFile": true
},
"files": {
"ignoreUnknown": false,
"ignore": [
"node_modules/**",
"dist/**",
"build/**",
".git/**"
]
},
"linter": {
"enabled": true,
"rules": {
"recommended": true,
"security": {
"noDangerouslySetInnerHtml": "error",
"noExplicitAny": "error",
"noInnerDeclarations": "error",
"noUnsafeOptionalChaining": "error",
"noUnsafeUnaryNegation": "error",
"useExhaustiveDependencies": "error",
"noUnusedImports": "error",
"noUnusedVariables": "error",
"noConsoleLog": "warn",
"noDebugger": "error",
"noAlert": "error",
"noEval": "error",
"noImpliedEval": "error",
"noNewFunc": "error",
"noObjCalls": "error",
"noScriptUrl": "error",
"noSelfCompare": "error",
"noUnmodifiedLoopCondition": "error",
"noUnreachable": "error",
"noUnsafeFinally": "error",
"noUnsafeNegation": "error",
"noUnusedLabels": "error",
"noUnusedPrivateClassMembers": "error",
"noVar": "error",
"preferConst": "error",
"useBlockStatements": "error",
"useShorthandArrayType": "error",
"useTemplate": "error"
},
"suspicious": {
"noArrayIndexKey": "error",
"noAssignInExpressions": "error",
"noAsyncPromiseExecutor": "error",
"noCatchAssign": "error",
"noClassAssign": "error",
"noCompareNegZero": "error",
"noCondAssign": "error",
"noConsoleError": "warn",
"noConstAssign": "error",
"noControlCharactersInRegex": "error",
"noDelete": "error",
"noDoubleEquals": "error",
"noDuplicateCase": "error",
"noDuplicateClassMembers": "error",
"noDuplicateEnumValues": "error",
"noDuplicateFunctionParams": "error",
"noDuplicateImportSource": "error",
"noDuplicateJsxProps": "error",
"noDuplicateObjectKeys": "error",
"noDuplicateParameters": "error",
"noEmptyInterface": "error",
"noExplicitAny": "error",
"noExtraBooleanCast": "error",
"noFunctionAssign": "error",
"noGlobalAssign": "error",
"noImportAssign": "error",
"noLabelVar": "error",
"noMisleadingCharacterClass": "error",
"noMultipleSpacesInRegularExpressionLiterals": "error",
"noParameterAssign": "error",
"noPrecisionLoss": "error",
"noRedundantUseFromImports": "error",
"noRestrictedGlobals": "error",
"noRestrictedImports": "error",
"noRestrictedSyntax": "error",
"noSetterReturn": "error",
"noShadowRestrictedNames": "error",
"noSparseArrays": "error",
"noStringCaseMismatch": "error",
"noSwitchDeclarations": "error",
"noUndeclaredVariables": "error",
"noUnsafeDeclarationMerging": "error",
"noUnsafeNegation": "error",
"noUnusedImports": "error",
"noUnusedPrivateClassMembers": "error",
"noUnusedVariables": "error",
"noVoid": "error",
"useExhaustiveDependencies": "error",
"useHookAtTopLevel": "error",
"useImportType": "error",
"useIsArray": "error",
"useJsonParse": "error",
"useNumberIsFinite": "error",
"useNumberIsInteger": "error",
"useNumberIsNaN": "error",
"useNumberParseFloat": "error",
"useNumberParseInt": "error",
"useOptionalChain": "error",
"useRegexLiterals": "error",
"useStringStartsWithEndsWith": "error",
"useStringTrim": "error",
"useValidAriaProps": "error",
"useValidAriaValues": "error",
"useValidAnchor": "error",
"useValidAnchorAttributes": "error",
"useValidAriaAttributes": "error",
"useValidAriaProps": "error",
"useValidAriaValues": "error",
"useValidButtonAttributes": "error",
"useValidFormAttributes": "error",
"useValidHeadingAttributes": "error",
"useValidHtmlAttributes": "error",
"useValidImgAttributes": "error",
"useValidInputAttributes": "error",
"useValidLinkAttributes": "error",
"useValidMediaAttributes": "error",
"useValidMetaAttributes": "error",
"useValidMimeType": "error",
"useValidTableAttributes": "error",
"useValidTextareaAttributes": "error"
},
"style": {
"noNonNullAssertion": "error",
"noParameterAssign": "error",
"noRestrictedGlobals": "error",
"noRestrictedImports": "error",
"noRestrictedSyntax": "error",
"noSetterReturn": "error",
"noShadowRestrictedNames": "error",
"noSparseArrays": "error",
"noStringCaseMismatch": "error",
"noSwitchDeclarations": "error",
"noUndeclaredVariables": "error",
"noUnsafeDeclarationMerging": "error",
"noUnsafeNegation": "error",
"noUnusedImports": "error",
"noUnusedPrivateClassMembers": "error",
"noUnusedVariables": "error",
"noVoid": "error",
"useExhaustiveDependencies": "error",
"useHookAtTopLevel": "error",
"useImportType": "error",
"useIsArray": "error",
"useJsonParse": "error",
"useNumberIsFinite": "error",
"useNumberIsInteger": "error",
"useNumberIsNaN": "error",
"useNumberParseFloat": "error",
"useNumberParseInt": "error",
"useOptionalChain": "error",
"useRegexLiterals": "error",
"useStringStartsWithEndsWith": "error",
"useStringTrim": "error"
}
}
},
"formatter": {
"enabled": true,
"indentStyle": "space",
"indentWidth": 2,
"lineWidth": 80
},
"javascript": {
"formatter": {
"quoteStyle": "single",
"trailingComma": "es5",
"semicolons": "always"
}
}
}Security Rules That Block Commits
The Biome configuration includes several security rules that will prevent commits containing potential security flaws:
Critical Security Rules (Block Commit):
noDangerouslySetInnerHtml: Prevents XSS vulnerabilities from innerHTML usagenoEval: Blocks eval() usage which can execute arbitrary codenoImpliedEval: Prevents implied eval through setTimeout/setInterval with stringsnoNewFunc: Blocks Function constructor usagenoScriptUrl: Prevents javascript: URLs that can execute codenoUnsafeOptionalChaining: Prevents unsafe optional chaining operationsnoUnsafeUnaryNegation: Blocks unsafe unary negation operations
High-Severity Security Rules (Block Commit):
noExplicitAny: Prevents use ofanytype which can hide security issuesnoInnerDeclarations: Blocks inner function declarations that can cause scope issuesnoUnsafeFinally: Prevents unsafe finally block usagenoUnsafeNegation: Blocks unsafe negation operationsuseExhaustiveDependencies: Ensures all dependencies are properly declared in hooks
Code Quality Rules (Warn/Block):
noConsoleLog: Warns about console.log usage in production codenoDebugger: Blocks debugger statementsnoAlert: Blocks alert() usagenoUnusedImports: Prevents unused imports that could indicate security issuesnoUnusedVariables: Blocks unused variables that might indicate incomplete security implementations
Example: Code That Would Be Blocked
// ❌ This code would be blocked by Biome security rules
// Blocked by noDangerouslySetInnerHtml
function renderUserInput(userInput) {
return <div dangerouslySetInnerHTML={{ __html: userInput }} />;
}
// Blocked by noEval
function executeDynamicCode(code) {
return eval(code); // Security risk!
}
// Blocked by noScriptUrl
function createLink(url) {
return <a href={`javascript:${url}`}>Click me</a>;
}
// Blocked by noExplicitAny
function processData(data: any) {
return data.sensitiveField; // Type safety lost
}
// Blocked by noUnsafeOptionalChaining
function accessProperty(obj) {
return obj?.deeply?.nested?.property?.method(); // Unsafe method call
}
// Blocked by useExhaustiveDependencies
function useUserData(userId) {
const [user, setUser] = useState(null);
useEffect(() => {
fetchUser(userId); // Missing userId in dependency array
}, []); // This would be flagged
}Pre-commit Hook Setup
# Install pre-commit
pip install pre-commit
# Install Biome
npm install --save-dev @biomejs/biome
# Install pre-commit hooks
pre-commit install
# Run all hooks manually
pre-commit run --all-filesGit Hooks Integration
#!/bin/sh
# .git/hooks/pre-commit
echo "Running Biome security checks..."
# Run Biome with security rules
npx @biomejs/biome check --apply-unsafe
if [ $? -ne 0 ]; then
echo "❌ Biome security checks failed. Please fix the issues before committing."
exit 1
fi
echo "✅ Biome security checks passed."
exit 0Releted Links
Official Documentation
Security Guides
Implementation Resources
Tools and Automation
CM-16: Monthly Production Change Review
Monthly review of production environment changes by information security team to verify authorization and separation of duties
CM-18: Version Control and Source Code Access Management
Version control software for source code management with restricted access based on job function