Are you auditing your dependencies? With the EU Cyber Resilience Act, shift-left security tools, and mandatory OSS auditing, the answer better be yes.
Introduction
The way we think about security is broken.
For decades, we've treated security as a layer — something you add on top of your application. Firewalls, WAFs, runtime protection. But in 2025-2026, the threat landscape has shifted. The enemy isn't at the gate anymore. It's inside the gate — in the open source dependencies you pull in without thinking.
The numbers are staggering:
96% of codebases contain open source components (OSSRA 2025-2026)
86% contain vulnerable open source
68% have license conflicts
Mean vulnerabilities per codebase jumped 107% year-over-year
And now, the regulators are watching. The EU Cyber Resilience Act (CRA) entered into force on December 10, 2024. Shift-left security tools like OPA and Trivy are no longer optional. OSS auditing is mandatory.
This isn't a security problem. It's a supply chain problem.
1. The EU Cyber Resilience Act: Regulatory Wake-Up Call
The EU Cyber Resilience Act (CRA) is the most significant piece of cybersecurity legislation since GDPR. And it's specifically designed to address the open source supply chain crisis.
Key Requirements of the CRA
Scope: All products with digital elements placed on the EU market
Core Obligations:
Secure-by-design engineering — Security built into development, not bolted on
Vulnerability handling — Document and patch known vulnerabilities
SBOM (Software Bill of Materials) — Maintain a complete inventory of all components
Incident reporting — Report active exploits within 24-72 hours
Support timelines — Define and publish security support periods
Why This Matters:
The CRA has extraterritorial reach. Any company selling software or hardware to EU customers must comply — regardless of where they're based. Non-compliance means market access denial.
2. The Shift-Left Revolution: OPA + Trivy
Traditional security happens at deployment. Shift-left moves it to development — and the tools have matured.
Trivy: Vulnerability Scanning at Scale
Trivy (by Aqua Security) is now the de facto standard for container and dependency vulnerability scanning.
Scans container images, filesystems, and Git repositories
Detects CVEs, misconfigurations, secrets, and license issues
Integrates into CI/CD pipelines — scan on every pull request
Generates SBOMs automatically
# GitHub Action example
- name: Run Trivy
uses: aquasecurity/trivy-action@main
with:
scan-type: 'fs'
vulnerability-type: 'os,library'
OPA: Policy as Code
The Open Policy Agent (OPA) lets you codify security policies and enforce them everywhere:
Kubernetes admission control — Block deployments that violate policies
CI/CD gatekeeping — Fail builds that don't meet security standards
API authorization — Decouple policy from application code
Combined with Trivy, you get:
<p><em>"Scan every artifact automatically. Quarantine packages that violate policies. All without manual intervention."</em></p>
This is shift-left security in practice — finding vulnerabilities before they reach production.
3. OSS Auditing Is Now Mandatory
The old approach: "We use open source, but it's maintained by the community."
The new reality: You are responsible for what you ship.
The OSSRA Data
The 2025-2026 Black Duck OSSRA report reveals:
Statistic
Value
Codebases using open source
96-98%
Codebases with vulnerable components
86%
Codebases with high-risk vulnerabilities
81%
Codebases with license conflicts
68%
Vulnerabilities per codebase (YoY growth)
+107%
What This Means for CTOs
Every dependency you import is:
Code you didn't write — but you're liable for
Code with unknown history — who maintains it?
Code that can be compromised — Supply chain attacks are rising
You can't secure what you don't know exists. This is why SBOMs (Software Bill of Materials) are no longer optional — they're a compliance requirement under the CRA.
4. The Supply Chain Problem
Here's the uncomfortable truth: Modern software is assembled, not built.
A typical web application might include:
100+ npm packages
50+ Python dependencies
20+ Docker base layers
10+ CI/CD pipeline tools
Each of these is a potential attack vector. One compromised dependency can cascade across your entire stack.
Real-World Examples
Log4Shell (2021) — RCE in Log4j, affecting millions of Java applications
SolarWinds (2020) — Compromised update mechanism affected 18,000+ organizations
Colors.js / Faker.js (2022) — Maintainer deliberately sabotaged popular npm packages
These aren't hypotheticals. They're happening now.
5. The Fix: Supply Chain Security Framework
Here's what organizations need to do:
A. Inventory Everything
Generate an SBOM for every application
Use tools like Trivy, Syft, or SPDX
Store SBOMs alongside your artifacts
B. Scan Continuously
Integrate vulnerability scanning into CI/CD
Fail builds with critical CVEs
Use Trivy for container and dependency scanning
C. Enforce Policies with OPA
Define security policies as code
Enforce in Kubernetes admission controllers
Block non-compliant deployments automatically
D. Monitor for New Vulnerabilities
Subscribe to vulnerability feeds (GitHub Advisory Database, NVD)
Set up automated alerts for critical CVEs in your dependencies
Have a patch SLA (e.g., critical: 24 hours, high: 7 days)
E. Audit Your Supply Chain
Review open source dependencies regularly
Check for maintainer activity — is the package still maintained?
Evaluate license compliance — GPL in proprietary products?
Conclusion: Security as Supply Chain, Not Layer
The era of "add a firewall" security is over.
The EU Cyber Resilience Act will punish companies that don't know what's in their code. The tools exist — Trivy, OPA, SBOMs — to make supply chain security practical.
The question isn't "do we need security?"
The question is: do you know what's in your dependencies?
Because the attackers already do.
Sources
EU Cyber Resilience Act Official Page: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
OpenSSF CRA Resources: https://openssf.org/public-policy/eu-cyber-resilience-act/
CNCF Blog: Enforcing Artifact Security with Trivy and OPA: https://www.cncf.io/blog/2025/05/01/enforcing-artifact-security-with-trivy-and-opa/
Black Duck OSSRA 2025-2026 Report: https://www.blackduck.com/resources/reports/ossra/
OpenSSF & Linux Foundation CRA Course: https://www.openssf.org/blog/2025/04/29/openssf-launches-free-course-to-prepare-developers-for-the-eu-cyber-resilience-act/