26 lines
1.1 KiB
Markdown
26 lines
1.1 KiB
Markdown
# Dependency Vulnerability Watcher
|
|
|
|
Continuously watch dependency manifests and lockfiles, detect newly disclosed vulnerabilities, and open remediation issues or pull requests automatically.
|
|
|
|
## Problem
|
|
Security advisories often arrive after dependencies are already deployed; manual tracking leads to delayed patches and inconsistent follow-up.
|
|
|
|
## Core capabilities
|
|
- Scan manifests and lockfiles across selected repositories.
|
|
- Correlate package versions with advisory feeds (NVD, GitHub Advisories, ecosystem feeds).
|
|
- Create severity-based issues with affected services and upgrade guidance.
|
|
- Open update PRs with changelog notes and risk labels for safe upgrades.
|
|
|
|
## MVP scope
|
|
- Support npm, pip, and Docker base image checks.
|
|
- Daily scheduled scans plus webhook-triggered scans on advisory updates.
|
|
- Slack or email alerts for high and critical findings.
|
|
|
|
## Success criteria
|
|
- Mean time to patch critical CVEs drops below a target SLA.
|
|
- 100% of critical findings have a tracked issue or PR within 24 hours.
|
|
|
|
## Stretch ideas
|
|
- Auto-rollout low-risk patch updates behind feature flags.
|
|
- Policy engine to block release pipelines when unresolved critical CVEs exist.
|