Vulnerability management
Beakr runs continuous automated security scanning across every layer of the stack — from application code to dependencies to infrastructure — with defined triage SLAs and annual penetration testing.
Automated scanning
Security scanning is built into the CI/CD pipeline and runs on every code change:
| Scanner | What it checks | When it runs |
|---|---|---|
| Semgrep (SAST) | Static application security testing with security-audit rulesets. Fails the build on high-severity findings. | Every push and pull request |
| TruffleHog | Scans full commit history for leaked credentials, API keys, and secrets. | Every pull request |
| GitHub Dependabot | Monitors all Python packages and GitHub Actions for known vulnerabilities (CVEs). Automatically opens pull requests to remediate. | Weekly |
| AWS GuardDuty | Runtime threat detection including malware protection (EBS volume scanning) and ECS Fargate runtime monitoring. | Continuous |
| AWS WAF | OWASP Top 10, SQL injection, Log4j, and known bad input patterns blocked at the edge. | Continuous |
Vulnerability triage SLAs
When a vulnerability is identified — whether through automated scanning, GitHub security advisories, CVE database monitoring, AWS security bulletins, or penetration testing — it is triaged by severity and remediated on a defined schedule:
| Severity | Remediation timeline |
|---|---|
| Critical | 24–48 hours |
| High | 7 days |
| Medium | 30 days |
| Low | 90 days |
Vulnerability identification
New vulnerabilities are identified through multiple channels:
- Automated scanning in the CI/CD pipeline (Semgrep, TruffleHog)
- GitHub security advisories for dependencies
- CVE database monitoring
- AWS security bulletins
- Findings from penetration tests
Penetration testing
Penetration testing is conducted on an annual basis by a qualified third party against the external attack surface of the application. Findings are documented, triaged by severity, and remediated according to the triage SLAs above.
For details on our most recent penetration test or vulnerability management procedures, contact security@thebeakr.com.