## Quarterly Dependency & Governance Audit ### Base Images - [ ] Verify `ubuntu:24.04` build stack is on latest patch - [ ] Verify `gcr.io/distroless/cc:nonroot` run stack digest - [ ] Check for upstream distroless CVE advisories ### Buildpacks & Lifecycle - [ ] Review Paketo Java buildpack release notes - [ ] Review CNB lifecycle release notes - [ ] Validate `builder.toml` versions are current ### GitHub Actions - [ ] Audit all pinned action SHAs against latest releases - [ ] Review Dependabot / Renovate PR backlog ### Supply Chain - [ ] Review OSSF Scorecard results - [ ] Check Trivy scan history for recurring findings - [ ] Verify SBOM generation is operational ### Samples - [ ] Confirm Spring Boot version is current - [ ] Confirm JDK version aligns with project policy --- _Auto-generated by Dependency Policy Review workflow on 2026-07-01_
Quarterly Dependency & Governance Audit
Base Images
ubuntu:24.04build stack is on latest patchgcr.io/distroless/cc:nonrootrun stack digestBuildpacks & Lifecycle
builder.tomlversions are currentGitHub Actions
Supply Chain
Samples
Auto-generated by Dependency Policy Review workflow on 2026-07-01