Engineering
Every vulnerable or stale dependency surfaces as a documented, merge-ready PR within a week
A weekly security hygiene pipeline that scans your repository's dependencies for known vulnerabilities, deprecated packages, and stale versions. An agent cross-references your package manifests against public vulnerability databases and changelogs. For each finding, it assesses exploitability in your specific usage context and assigns a severity level. Actionable findings automatically become pull requests with upgrade instructions and changelog links, so your team can review and merge on their own schedule.
How it works
TriggerRuns every Monday at 6:00 AM
- 01Job
Pull dependency manifests from all repos
Clone each tracked repository and extract dependency manifests: package.json, requirements.txt, go.mod, Cargo.toml, Gemfile, etc. Build a unified list of every direct dependency with its current version.
- 02Agent
Research vulnerabilities and updates for each dependency
For each dependency, search vulnerability databases and changelogs for: - Known CVEs affecting the current version - New major/minor/patch releases since the current version - Deprecation or end-of-life announcements For each finding, assess whether the vulnerability is exploitable given how the dependency is used in the codebase.
spawns Research workers (×4)
- 03Agent
Score findings and decide which to patch
Rank every finding by severity: - **Critical**: exploitable CVE, patch immediately - **High**: CVE with unclear exploitability or major version behind - **Medium**: minor version behind with bug fixes - **Low**: patch version behind, no security impact Filter to findings worth acting on (Critical and High always; Medium if the upgrade is trivial).
- 04Tool
Create pull requests for actionable findings
For each actionable finding, create a branch with the version bump, run the test suite, and open a PR with: the CVE or changelog link, the severity assessment, upgrade instructions, and a note on any breaking changes.
ResultCritical and high-severity dependency findings become documented PRs every Monday