Your CI Has Keys to Prod and Pulls Unpinned Deps
CI pulls unpinned dependencies, runs them, and holds prod credentials. A teammate says just add a vulnerability scanner. Defend a real hardening plan.
the decision you defend
Your CI pipeline pulls dependencies on every build, runs their code, and holds long-lived credentials with broad access to production. A teammate says just add a vulnerability scanner and we are secure. Is that enough, and what would you actually do?
the situation
You review your CI/CD setup. Every build resolves dependencies fresh and runs their install scripts, and the pipeline holds a long-lived credential with broad permissions to deploy to production.
context
The team has had no security incident yet. A teammate, asked about supply-chain risk, says the fix is simple: add a dependency vulnerability scanner to the pipeline and you are covered.
How this challenge works
Take a position on the decision above and defend it. A senior-engineer AI will push back over up to 5 rounds. When you are done, you are scored against a verified rubric so you can see exactly what a complete answer covers - these are learning prompts, not gotchas.