# Gate 02 — Supply chain

**State at `v1.1.0`: 🟡 FAIL** until the 30 open alerts are triaged (low-risk: most are dev/test-only and pre-cutover).

## Required items

| Item                                                                                     | Required | State                                                                            |
| ---------------------------------------------------------------------------------------- | -------- | -------------------------------------------------------------------------------- |
| Dependabot active for pip, npm, Docker, Actions                                          | yes      | ✅ PASS                                                                           |
| Weekly cadence on runtime ecosystems                                                     | yes      | ✅ PASS — Europe/Zurich Monday 06:00                                              |
| `dependency-audit` job: `pip-audit --strict` + `npm audit --audit-level=high --omit=dev` | yes      | ✅ PASS                                                                           |
| Group minor/patch PRs to reduce noise                                                    | yes      | ✅ PASS                                                                           |
| Open alert triage SLA defined                                                            | partial  | 🟡 **FAIL** — 30 Dependabot alerts currently open; triage scheduled in next task |

## Triage SLA (target)

| Severity | Time to triage | Time to patch                                 |
| -------- | -------------- | --------------------------------------------- |
| Critical | 1 BD           | per Vulnerability Response §7 of DEV\_PROCESS |
| High     | 5 BD           | per §7                                        |
| Medium   | 30 d           | per §7                                        |
| Low      | 90 d           | per §7                                        |

## Closing plan

1. Owner runs `gh api /repos/NKAP360-dev/edge-app/dependabot/alerts --paginate | jq '.[].number'`.
2. For each alert: triage severity, close as fixed / wont-fix with note, or open a `fix/dep-<id>` branch.
3. Update this page to ✅ once the count is 0 and the triage SLA above is signed off in DEV\_PROCESS.

## Why it matters

A bank's SBOM review will pull the Dependabot count. A 30-alert backlog reads as inattention even if every alert is dev-only.

## Compliance mapping

* ISO 27001 Annex A.8.8 (Management of technical vulnerabilities).
* ISO 27001 Annex A.5.31 (Legal, statutory, regulatory and contractual requirements) — supply-chain due diligence.
* DORA Art 28 (ICT third-party risk management) — third-party deps tracked.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.edge.nyami.fr/banking-readiness/gate-02-supply-chain.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.