This is why most companies have a build step in their CI/CD pipeline that scans for CVE/malware in their app's dependencies (jar, npm packages, Ruby gems etc)
While the concept sounds sound, so far I've never actually seen this setup in the real world. Do you happen to have any resources on how to properly setup such a step in a CI tool?
Check out software like Twistlock, Sonatype and I think Tennable has a scanner as well that integrates into the pipeline. If your are not using Sonatype to build you can find good support for this in Jenkins or Team City via a plugin
(Full disclosure, I work in this area)
