Add releaserun dependency vulnerability scanner#1758
Open
Matheus-RR wants to merge 2 commits intoanalysis-tools-dev:masterfrom
Open
Add releaserun dependency vulnerability scanner#1758Matheus-RR wants to merge 2 commits intoanalysis-tools-dev:masterfrom
Matheus-RR wants to merge 2 commits intoanalysis-tools-dev:masterfrom
Conversation
Author
|
Hi! Just following up on this PR. In case it helps with review: ReleaseRun v1.4.0 is stable on npm (weekly downloads growing), has a GitHub Action for CI integration, and the CLI scans package.json, requirements.txt, go.mod, and Cargo.toml for CVEs via OSV.dev + EOL status. Happy to make any adjustments to the PR if the format or section placement needs tweaking. Thanks for maintaining this list — it's a really useful resource. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds releaserun to the Security/SAST section.
What it does: CLI tool that scans project dependencies for known CVEs, end-of-life status, and deprecated packages. Covers Node.js, Python, Go, Rust, and Dockerfiles.
Why it fits: Similar to Grype and lockfile-lint already on the list, but focused on dependency lifecycle (EOL detection, upgrade paths) alongside vulnerability scanning. Multi-ecosystem support from a single tool.