Runtime Vulnerability Scanning

Basis Theory scans runtime dependencies used by Reactor code and Proxy code transforms. For the node22 runtime, Basis Theory scans the resolved dependency graph, including direct dependencies declared in runtime.dependencies, transitive dependencies, and versions affected by runtime.resolutions.

Scanning happens in two places:

1. During deployment when a Reactor or Proxy code transform is created or updated.
2. Continuously after deployment on a recurring schedule for currently deployed runtime artifacts.

Deployment-Time Scanning

When a deployment includes runtime dependencies, Basis Theory checks those dependencies before the new version is activated.

If a HIGH or CRITICAL vulnerability is detected, deployment fails and the new version is not activated.

For node22 asynchronous provisioning, failure details are returned on the resource's requested object:

• requested.error_code: vulnerabilities_detected
• requested.error_message: remediation guidance
• requested.error_details.vulnerabilities[]: vulnerability details, including name, version, severity, id, and dependency_path

You can see these details in:

• Reactors API
• Pre-Configured Proxies API

Continuous Scanning

Basis Theory also runs recurring scans for deployed runtime dependency artifacts (package.json and lockfile state) to identify newly disclosed vulnerabilities after deployment.

When new findings are discovered, Basis Theory starts the notification workflow.

Email Notifications

Basis Theory sends vulnerability notifications for unresolved node22 runtime dependency findings:

1. New vulnerability alert: sent on the next notification cycle after new vulnerabilities are discovered.
2. Remediation warning: sent 7 days before invocation is blocked for unresolved CRITICAL vulnerabilities.
3. Outstanding vulnerability summary: sent weekly for unresolved vulnerabilities.

Notifications are sent to:

1. The configured security contact email.
2. The tenant owner email when a security contact email is not configured.

Manage your security contact email in the Basis Theory Portal under Settings > Information, or through the API:

• Get Security Contact Email
• Update Security Contact Email

Remediation Enforcement

If a CRITICAL vulnerability is found in a deployed node22 runtime artifact, Basis Theory gives you up to 30 days after remediation notification to resolve it.

Basis Theory sends a remediation warning 7 days before invocation is blocked. After the remediation deadline, invocation is blocked until the vulnerability is remediated:

• Reactors are blocked before Reactor code runs.
• Pre-configured Proxies are blocked at the proxy level before request transforms, destination forwarding, or response transforms run.

Redeploying with remediated dependencies clears active vulnerability findings and allows invocation again.

Webhook Events

If you monitor operational events with webhooks, use these event types:

• reactor.vulnerabilities_discovered
• proxy.vulnerabilities_discovered
• tenant.vulnerabilities_notified

See payload definitions in Webhook Event Data.

Runtime Coverage

Vulnerability scanning behavior differs by runtime image:

• node-bt: Basis Theory manages scanning for the curated whitelisted dependencies available in this runtime.
• node22: the resolved dependency graph is scanned during deployment and continuously after deployment, including direct dependencies declared in runtime.dependencies, transitive dependencies, and versions affected by runtime.resolutions.

As additional runtime images are introduced, this page will be updated with support details.

Recommended Remediation Workflow

1. Inspect vulnerability details from the notification, webhook event, or requested.error_details.vulnerabilities to identify the affected direct or transitive dependency path.
2. Update dependency versions and, if needed, add targeted runtime.resolutions.
3. Redeploy the resource and confirm it reaches a healthy state.
4. Keep customer-managed CI dependency scanning enabled before deployment.