ISO 27001 A.8.8 · npm audit · Vulnerabilities

ISO A.8.8 vulnerability management, running inside your repository.

Control A.8.8 requires technical vulnerability management. Exponencial's skill runs npm audit, reconciles risks and records dated evidence in the compliance platform.

01 Search intent

The problem is not only finding CVEs. It is proving the cycle.

Auditors and customers want process: detection, prioritization, treatment, acceptance and evidence. A loose npm audit report helps less if it never becomes a traceable ISMS record.

  • High or critical vulnerability becomes technical risk.
  • Resolved vulnerability closes a risk with dated evidence.
  • Low and moderate findings contribute to monitoring history.
  • Execution is associated with the right project and organization.

02 What we deliver

No dependency changes

The agent is read-only in the repository: it runs npm audit and reports the result to compliance. It does not run npm install or fix code by itself.

Risk with context

Package, severity, project, date and origin enter the risk register for treatment, acceptance or mitigation decisions.

Trial-friendly

On first run, the agent creates a trial organization with the owner's email. Existing clients use the connection and approval flow.

03 Workflow

From intent to evidence.

  1. 01

    Run npx @exponencial/iso-remediacao

    Execute inside a project with package.json and package-lock.json. The agent identifies the owner from the Git email.

  2. 02

    Review what was detected

    High and critical findings become risks; low and moderate findings support monitoring evidence; resolved findings close existing issues.

  3. 03

    Track it in the panel

    Sign in to /adm with the same email and see the A.8.8 control, risks and events generated by the run.

  4. 04

    Schedule recurrence

    For active clients, the same agent can run in CI, cron or agent routines to keep evidence alive.

04 Practical proof

What makes it different from a normal report.

The value is connecting technical output to the right ISO control and decision flow. Evidence stops being a forgotten file and becomes ISMS history.

  • Related control: ISO/IEC 27001:2022 Annex A.8.8.
  • Technical source: npm audit --json.
  • Destination: risks, events and evidence in the Exponencial panel.

05 FAQ

Direct answers before the conversation.

Do I need to be a client to run it?

No. A run without signup creates a trial organization. To connect to an existing account, use --connect and approve the agent in the panel.

Does the agent send project secrets?

No by design. It uses npm audit output and project metadata; it does not need to read .env files, private keys or repository credentials.

Does it work outside npm?

This first skill focuses on npm because it provides a clear entry point. The same model can be extended to other ecosystems and controls.