Every project I’ve worked on has the same setup: osv-scanner or Dependabot wired into CI, which fails the build if a known CVE is found. It feels complete. It isn't.
Here’s the gap: CI runs at push time. CVEs are published continuously.
If a vulnerability is disclosed in express, serde, or requests the day after your last commit, your CI pipeline won't catch it until your next push. For a team that deploys once a week, that's up to seven days of running known-vulnerable software in production with no alert, no PR, no indication that anything is wrong.
Why Dependabot doesn’t fully solve this
Dependabot is genuinely useful, and I’m not dismissing it. But it has real constraints:
It only works on GitHub-hosted repositories
It supports around 10 ecosystems
It watches only the default branch (main/master)
It opens PRs, which is great for planned maintenance, but not for “you’re vulnerable right now, act fast.”
If you’re on GitLab, self-hosted Gitea, or running a polyglot monorepo with a mix of Rust, Python, and Go, you’re largely on your own.
The AI coding tools problem makes this worse
AI coding assistants: Claude. Copilot and Cursor introduce dependencies faster than most developers can review them. That’s not a criticism; it’s just the nature of the tooling. But these assistants have a training cutoff. They are unaware of CVEs published after that date.
Concretely, an AI agent suggests somepackage@2.1.0. At the time, it was suggested that no known vulnerabilities existed. Three weeks later, a CRITICAL CVE is published. Your CI pipeline has no reason to re-run. Nobody gets a notification. You find out when a user files a report.
The problem isn’t that the AI made a bad suggestion. The problem is that there’s no continuous monitoring layer watching for changes after the fact.
The right mental model isn’t “scan at push time.” It’s “watch continuously and alert when the threat landscape changes.”
The gap, summarised
What we built
We built Oppsy specifically to fill this gap. You upload a lock file, configure a notification channel, and we recheck your dependencies whenever the OSV database is updated. New CVE at 3 am? You’ll know by morning.
It’s launching in summer 2026. The waitlist is open now — it’s free to join.
If this resonates, I’d be curious whether the notification channel matters to you. Is Slack the obvious choice, or does your team live somewhere else?
Top comments (0)