Stop Triaging. Start Fixing. Introducing VigilOps
You've seen the alert. You've opened the PR. You've read the changelog. Then you realize: your code doesn't even call the vulnerable function.
Every week. Hundreds of teams drowning in CVE notifications for packages sitting dormant in their node_modules - dependencies they pulled in years ago, bundled by a transitive library, and never actually executed. Meanwhile, the real vulnerabilities get buried.
VigilOps is a free Node.js CLI that fixes this.
How VigilOps Works
VigilOps does three things:
- Scans dependencies against OSV.dev - the open vulnerability database used by GitHub, PyPI, and npm
- Runs static reachability analysis to filter out unreachable vulnerabilities (packages in your tree but never called by your code)
- Auto-opens a GitHub PR with the fix
The result: you get one PR with one real vulnerability. Not a spreadsheet. Not a wall of Slack messages. A fix.
Demo
Here's a quick scan:
npx vigilops scan examples/vigilops-demo-lodash
And to see everything including suppressed (unreachable) deps:
npx vigilops scan examples/vigilops-demo-express --all
The --all flag shows what's in your dependency tree but not actually reachable from your code. That's what the noise looks like - and that's what VigilOps filters out.
Why This Is Different
Dependabot and Snyk scan your entire lockfile. They report every CVE in every package, regardless of whether your code ever touches the vulnerable surface. This creates alert fatigue that causes teams to eventually... stop reading.
VigilOps inverts the model: only surface vulnerabilities in code you actually call.
- Dependabot: "Your project has 47 vulnerabilities" (but 40 are unreachable noise)
- VigilOps: "Your project has 1 reachable vulnerability. PR is ready."
Quick Start
npm install -g vigilops
npx vigilops scan .
Authenticate with GitHub:
https://github.com/Vigilops/vigilops
npx vigilops auth
That's it. The first run will scan, analyze, and open a PR if there's a fixable reachable vulnerability.
What's Included
- OSV.dev integration - covers npm, PyPI, Go, Rust, Ruby, and more
- Static analysis - identifies which packages are actually reachable from your entry points
- GitHub PR automation - opens a PR with a pinned safe version and a summary of what changed
- Suppress filters - if you want to see the full tree, use
--all
GitHub
Questions, issues, contributions: https://github.com/Vigilops/vigilops
Try It
npx vigilops scan examples/vigilops-demo-lodash
Start with a demo repo or point it at any Node.js project. If it finds nothing, you now have confidence in your dependency tree. If it finds something - you have a PR waiting.
VigilOps is free and open source. Built for maintainers and small dev teams who've had enough of the noise.
Comments
No comments yet. Start the discussion.