Runtime Vulnerability Scanning

Basis Theory scans runtime dependencies used by Reactor code and Proxy code transforms.

Scanning happens in two places:

1. During deployment when a Reactor or Proxy code transform is created or updated.
2. Continuously after deployment on a recurring schedule for currently deployed runtime artifacts.

Deployment-Time Scanning

When a deployment includes runtime dependencies, Basis Theory checks those dependencies before the new version is activated.

If a HIGH or CRITICAL vulnerability is detected, deployment fails and the new version is not activated.

For node22 asynchronous provisioning, failure details are returned on the resource's requested object:

• requested.error_code: vulnerabilities_detected
• requested.error_message: remediation guidance
• requested.error_details.vulnerabilities[]: vulnerability details, including name, version, severity, id, and dependency_path

You can see these details in:

• Reactors API
• Pre-Configured Proxies API

Continuous Scanning

Basis Theory also runs recurring scans for deployed runtime dependency artifacts (package.json and lockfile state) to identify newly disclosed vulnerabilities after deployment.

When new findings are discovered, Basis Theory starts the notification workflow.

Email Notifications

Basis Theory sends two vulnerability notification email types:

1. New vulnerability alert: sent on the next notification cycle after new vulnerabilities are discovered.
2. Outstanding vulnerability summary: sent weekly for unresolved vulnerabilities.

Notifications are sent to:

1. The configured security contact email.
2. The tenant owner email when a security contact email is not configured.

Manage your security contact email in the Basis Theory Portal under Settings > Information, or through the API:

• Get Security Contact Email
• Update Security Contact Email

Webhook Events

If you monitor operational events with webhooks, use these event types:

• reactor.vulnerabilities_discovered
• proxy.vulnerabilities_discovered
• tenant.vulnerabilities_notified

See payload definitions in Webhook Event Data.

Runtime Coverage

Vulnerability scanning behavior differs by runtime image:

• node-bt: Basis Theory manages scanning for the curated whitelisted dependencies available in this runtime.
• node22: dependencies declared in runtime.dependencies are scanned during deployment and continuously after deployment.

As additional runtime images are introduced, this page will be updated with support details.

Recommended Remediation Workflow

1. Inspect requested.error_details.vulnerabilities to identify the affected direct or transitive dependency path.
2. Update dependency versions and, if needed, add targeted runtime.resolutions.
3. Redeploy the resource and confirm it reaches a healthy state.
4. Keep customer-managed CI dependency scanning enabled before deployment.