claw-ideas/ideas/dev-tooling/dependency-vulnerability-watcher.md

Dependency Vulnerability Watcher

Continuously watch dependency manifests and lockfiles, detect newly disclosed vulnerabilities, and open remediation issues or pull requests automatically.

Problem

Security advisories often arrive after dependencies are already deployed; manual tracking leads to delayed patches and inconsistent follow-up.

Core capabilities

• Scan manifests and lockfiles across selected repositories.
• Correlate package versions with advisory feeds (NVD, GitHub Advisories, ecosystem feeds).
• Create severity-based issues with affected services and upgrade guidance.
• Open update PRs with changelog notes and risk labels for safe upgrades.

MVP scope

• Support npm, pip, and Docker base image checks.
• Daily scheduled scans plus webhook-triggered scans on advisory updates.
• Slack or email alerts for high and critical findings.

Success criteria

• Mean time to patch critical CVEs drops below a target SLA.
• 100% of critical findings have a tracked issue or PR within 24 hours.

Stretch ideas

• Auto-rollout low-risk patch updates behind feature flags.
• Policy engine to block release pipelines when unresolved critical CVEs exist.