I’ve been using a few basic tools to notify me of vulnerabilities in repositories, for example, Github’s automatic scanning of Node.js projects (https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/), but at a recent security audit, I realised that aside from this, I didn’t have a process for being automatically alerted about other vulnerabilities.
So, I hacked something together over a weekend that periodically scans the USA’s National Security Database https://nvd.nist.gov/ and notifies a Slack channel of vulnerabilities in Go and Node.js themselves. (I’ll accept a pull request to make that configurable).
I’ve been working on some other security-related tools (taking a backseat to project work) but the other main tool I’m working on sends to an SNS topic instead of a Slack channel, which is actually more useful, so I might update the NVD notifier at some point.
It’s written in Go, and uses the Serverless Framework to get deployed onto your own AWS environment. It uses DynamoDB to store state, which will cost a few dollars to run per month.
The code is over at https://github.com/a-h/nvdnotifier