Sloppify
This commit is contained in:
Space-Banane
25
ideas/dev-tooling/dependency-vulnerability-watcher.md
Normal file
25
ideas/dev-tooling/dependency-vulnerability-watcher.md
Normal file
@@ -0,0 +1,25 @@
|
||||
# Dependency Vulnerability Watcher
|
||||
|
||||
Continuously watch dependency manifests and lockfiles, detect newly disclosed vulnerabilities, and open remediation issues or pull requests automatically.
|
||||
|
||||
## Problem
|
||||
Security advisories often arrive after dependencies are already deployed; manual tracking leads to delayed patches and inconsistent follow-up.
|
||||
|
||||
## Core capabilities
|
||||
- Scan manifests and lockfiles across selected repositories.
|
||||
- Correlate package versions with advisory feeds (NVD, GitHub Advisories, ecosystem feeds).
|
||||
- Create severity-based issues with affected services and upgrade guidance.
|
||||
- Open update PRs with changelog notes and risk labels for safe upgrades.
|
||||
|
||||
## MVP scope
|
||||
- Support npm, pip, and Docker base image checks.
|
||||
- Daily scheduled scans plus webhook-triggered scans on advisory updates.
|
||||
- Slack or email alerts for high and critical findings.
|
||||
|
||||
## Success criteria
|
||||
- Mean time to patch critical CVEs drops below a target SLA.
|
||||
- 100% of critical findings have a tracked issue or PR within 24 hours.
|
||||
|
||||
## Stretch ideas
|
||||
- Auto-rollout low-risk patch updates behind feature flags.
|
||||
- Policy engine to block release pipelines when unresolved critical CVEs exist.
|
||||
Reference in New Issue
Block a user