Use Case
Dependency Audit
Continuously monitor NVD and npm advisories, match CVEs to your actual lock files, and auto-create upgrade tickets before vulnerabilities become incidents.
The Problem
Your security team flags a CVE during quarterly audit. They need to know: are we affected? Which repos? What is the blast radius? You start pinging team leads. One checks npm audit. Another checks GitHub advisories. Three days later, you still do not have a definitive answer.
Running npm audit manually is a start, but it only catches what you remember to check. NVD advisories, GitHub Security Advisories, and npm all publish separately. No one is watching all of them, all the time.
The Solution
SignalManager watches NVD, npm advisories, and GitHub Security Advisories around the clock. When a new CVE drops, it checks your actual package-lock.json and yarn.lock files to determine if you are affected.
- Real-time monitoring -- NVD, npm, and GitHub advisories checked continuously
- Automatic matching -- CVEs matched against your actual lock files, not hypothetical dependencies
- Upgrade tickets -- issues created with the vulnerable version, safe version, and upgrade path
How It Works
Connect Your Repo
SignalManager reads your lock files from GitHub to build a live dependency graph.
Continuous Monitoring
New CVEs from NVD and npm are checked against your graph every hour. No cron jobs required.
Ticket Created
When a match is found, a ticket is created with CVE details, CVSS score, affected packages, and the recommended upgrade path.
Results
From CVE published to ticket created
Coverage of transitive dependencies
Manual audit runs needed
Compliance reports generated on demand
Know about CVEs before they bite
Connect your repo and let SignalManager watch the advisory feeds so you do not have to.