DEV Community

sean mears
sean mears

Posted on

VigilOps Launch Article

Stop drowning in CVE noise — meet VigilOps

Your package.json has 347 transitive dependencies. Dependabot just filed 40 security alerts. You have no idea which ones actually matter.

VigilOps is a free Node.js CLI that solves this: it scans your dependencies for CVEs via OSV.dev, filters out the noise using static reachability analysis, and auto-opens GitHub PRs with the actual fix.


The problem isn't vulnerabilities — it's triage

Dependency scanners flag everything in your tree. The CVE is real. The package version is correct. But does your code actually call the affected function?

Endor Labs' 2024 Dependency Management Report found that fewer than 9.5% of dependency vulnerabilities are reachable in a typical codebase. That's over 90% noise.

Filippo Valsorda — former Google Go Security Team lead — put it bluntly when Dependabot opened thousands of PRs against repos that didn't even import the affected package:

"Dependabot is a noise machine. It makes you feel like you're doing work, but you're actually discouraging more useful work."

The security industry has a word for this: alert fatigue. When every alert looks critical, none of them are.


What reachability filtering actually means

VigilOps builds a static call graph of your application. When it finds a CVE, it asks: "Is there a code path from this file to the vulnerable function?"

If the answer is no, VigilOps marks it as suppressed — not because the CVE doesn't exist, but because your code can't trigger it.

The tradeoff: scanners that assume static call graphs can miss dynamic require(name) patterns where packages are loaded at runtime. That's real. For most codebases, the signal-to-noise improvement is worth it.


Try it right now

Demo 1: Scan with reachability filtering (default)

\////////////////////
npx vigilops scan examples/vigilops-demo-lodash
////////////////////

This scans a demo project containing lodash with a known CVE. VigilOps analyzes the call graph and flags only the reachable vulnerability. Everything else is suppressed.

Demo 2: See everything — including suppressed CVEs

\////////////////////
npx vigilops scan examples/vigilops-demo-express --all
////////////////////

The --all flag shows the full picture: all CVEs including suppressed ones. This is useful when you need to audit your full dependency tree or when a compliance requirement asks for a complete vulnerability inventory.


How the auto-fix PR works

When VigilOps finds a reachable CVE with a patched version available, it can open a GitHub PR directly from the CLI:

\////////////////////
npx vigilops scan . --fix
////////////////////

It determines:

  • The exact upgrade path (accounting for transitive dependencies)
  • Whether the upgrade breaks your lockfile
  • The correct npm install / pnpm update command

The PR lands in your repo with context: which CVE, which function, and what was changed. You review it, you merge it. No guessing.


How VigilOps compares to what you're using now

Dependabot Snyk VigilOps
Cost Free Paid tier Free, open source
CVE database GitHub DB Proprietary + NVD OSV.dev
Reachability analysis None Partial (JS/Java) Full static call graph
Filters unreachable CVEs No Yes (paid tier) Yes
Auto-fix PRs Version bump only Version bump Context-aware fix
Works offline No Partial Yes
GitHub-only Yes No No

Dependabot flags a CVE because the package exists. VigilOps flags a CVE because your code can reach it.


Get started

\////////////////////
npm install -g vigilops
////////////////////

Or run it directly:

\////////////////////
npx vigilops scan .
////////////////////

For the auto-fix workflow, you'll need a GitHub token set as VIGILOPS_GITHUB_TOKEN in your environment.


Call to action: we need your feedback

This is an early-stage open-source tool. If you've been burned by Dependabot noise, or if you've tried tools like Snyk and found them too expensive for what you got — we want to hear from you.

Specifically:

  • What's your current triage workflow for dependency CVEs?
  • What would it take for you to trust a reachability filter over a raw CVE alert?
  • What friction points have you hit with existing tools?

Open an issue at https://github.com/Vigilops/vigilops or drop a commenthttps://github.com/Vigilops/vigilops below.

The goal is simple: only alert you when your code can actually be exploited. Everything else is noise, and noise has a cost.


VigilOps is free and open source. It queries OSV.dev, which aggregates advisories from multiple sources — no single advisory database is perfect, and neither is any scanner. Use VigilOps as part of your triage workflow, not as a replacement for security judgment.

Top comments (0)