CVE Vulnerability Scanner
Scan project dependencies for known CVEs.
Discovery
First, find all dependency manifests:
bash
find . -name "package.json" -o -name "pyproject.toml" -o -name "Cargo.toml" -o -name "go.mod" | grep -v node_modules
Scanning
Node.js (package.json)
Ensure npm is available (install via pixi in /tmp if needed). Then for each directory with package.json:
bash
npm audit --prefix <dir>
Python (pyproject.toml with pixi)
bash
cd <dir> && pixi run pip install pip-audit -q && pixi run pip-audit
Python (requirements.txt or pyproject.toml without pixi)
bash
pip-audit -r requirements.txt # or pip-audit
Output
Report findings as a table:
| Package | Severity | Advisory | Fix |
|---|
If security/cve-scan.md exists, append timestamped results.
Fixing
- •Node.js:
npm audit fix(use--forceonly if user approves) - •Python/pixi:
pixi updateor add version constraint to pyproject.toml
Verification
After applying fixes, verify the app still works:
- •Start the app:
docker compose up -d - •Wait for healthy status:
docker compose ps - •Test frontend:
curl -s http://localhost:5173/ | head -5 - •Test API:
curl -s "http://localhost:5173/api/connectivity?depth=05m&time_range=00d-07d&start_id=100" | head -c 200
Only commit fixes after verification passes. Update security/cve-scan.md with verification status.