# Dependency Vulnerability Watcher

Continuously watch dependency manifests and lockfiles, detect newly disclosed vulnerabilities, and open remediation issues or pull requests automatically.

## Problem
Security advisories often arrive after dependencies are already deployed; manual tracking leads to delayed patches and inconsistent follow-up.

## Core capabilities
- Scan manifests and lockfiles across selected repositories.
- Correlate package versions with advisory feeds (NVD, GitHub Advisories, ecosystem feeds).
- Create severity-based issues with affected services and upgrade guidance.
- Open update PRs with changelog notes and risk labels for safe upgrades.

## MVP scope
- Support npm, pip, and Docker base image checks.
- Daily scheduled scans plus webhook-triggered scans on advisory updates.
- Slack or email alerts for high and critical findings.

## Success criteria
- Mean time to patch critical CVEs drops below a target SLA.
- 100% of critical findings have a tracked issue or PR within 24 hours.

## Stretch ideas
- Auto-rollout low-risk patch updates behind feature flags.
- Policy engine to block release pipelines when unresolved critical CVEs exist.