[riyakhanna1983]

NPM lists known vulnerabilities during installation, but I don't think other package managers work the same way. AFAIK, you have to download the OSS and scan with tools like BlackDuck, Synk. I see you follow a number of steps to confidently import an OSS. Have you tried automating your checklist?

[reiger]

For initial import I like it to be a manual process so I can judge risk. I have some really bad python scripts that read/write excel documents that will alert me when licenses change.

My plan is to move to Black Duck or the commercial libraries.io subscription for my automation needs.

For Kubernetes I'm really impressed with Aqua Security as they do OSS license adherence and OSS security vuln alerting if you only deploy into containers. It's not a cheap product, but love how they do OSS assurance as part of build and deployment. It's a nice model that allows a central security team to use technology to enforce policies - good for "research" environments where dev/researchers don't want to do any effort for OSS packages.