Engineering

Every vulnerable or stale dependency surfaces as a documented, merge-ready PR within a week

A weekly security hygiene pipeline that scans your repository's dependencies for known vulnerabilities, deprecated packages, and stale versions. An agent cross-references your package manifests against public vulnerability databases and changelogs. For each finding, it assesses exploitability in your specific usage context and assigns a severity level. Actionable findings automatically become pull requests with upgrade instructions and changelog links, so your team can review and merge on their own schedule.

How it works

TriggerRuns every Monday at 6:00 AM
  1. 01
    Job

    Pull dependency manifests from all repos

    Clone each tracked repository and extract dependency manifests: package.json, requirements.txt, go.mod, Cargo.toml, Gemfile, etc. Build a unified list of every direct dependency with its current version.
  2. 02
    Agent

    Research vulnerabilities and updates for each dependency

    For each dependency, search vulnerability databases and changelogs for:
    - Known CVEs affecting the current version
    - New major/minor/patch releases since the current version
    - Deprecation or end-of-life announcements
    
    For each finding, assess whether the vulnerability is exploitable given how the dependency is used in the codebase.

    spawns Research workers (×4)

  3. 03
    Agent

    Score findings and decide which to patch

    Rank every finding by severity:
    - **Critical**: exploitable CVE, patch immediately
    - **High**: CVE with unclear exploitability or major version behind
    - **Medium**: minor version behind with bug fixes
    - **Low**: patch version behind, no security impact
    
    Filter to findings worth acting on (Critical and High always; Medium if the upgrade is trivial).
  4. 04
    Tool

    Create pull requests for actionable findings

    For each actionable finding, create a branch with the version bump, run the test suite, and open a PR with: the CVE or changelog link, the severity assessment, upgrade instructions, and a note on any breaking changes.
ResultCritical and high-severity dependency findings become documented PRs every Monday