Open Source Vulnerability Monitor avatar

Open Source Vulnerability Monitor

Pricing

Pay per usage

Go to Apify Store
Open Source Vulnerability Monitor

Open Source Vulnerability Monitor

OSV vulnerability monitor for public open-source package advisory changes, severity filters, and fix-aware alerts.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

X L

X L

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Share

Monitor public OSV vulnerability advisories for open-source packages and emit only meaningful new or modified advisory alerts.

What it does

  • Checks package names across ecosystems such as npm, PyPI, Maven, Go, crates.io, NuGet, Packagist, RubyGems, and Debian.
  • Uses the public OSV API; no GitHub token or vendor account is required for the core workflow.
  • Provides public OSV package advisory monitoring only, using public OSV advisory data; it does not scan private repositories or read private dependency manifests.
  • Hydrates advisory details, severity, aliases, references, affected ranges, affected versions, fixed versions, published time, and modified time.
  • Carries the watched package version when provided, so alerts can show whether a specific deployed version is being checked.
  • Compares against prior snapshots to separate new, modified, and unchanged advisories.
  • Writes dataset rows plus SUMMARY, ALERTS, SNAPSHOTS, and a Markdown REPORT.
  • Adds commercial review fields such as monetizationFit, paidEventCandidate, supportRisk, and suggestedPricingModel for later PPE review.

Good use cases

  • Security teams tracking vulnerable open-source dependencies.
  • Developer-platform teams watching critical packages in templates and SDKs.
  • Agencies monitoring dependency risk for multiple clients.
  • Compliance teams needing repeatable public-source advisory evidence.

Monetization boundary

First release should be free or usage-cost-only. Future PPE should charge only for completed matched-vulnerability-advisory events where an advisory is new or modified and meets the configured severity threshold. Rows include fixAvailable and fixedVersions, which makes the alert more actionable without claiming to replace a full SCA or remediation workflow.

Do not charge for baseline unchanged rows, packages with no matching advisories, invalid inputs, API errors, or snapshot-only persistence.

The commercial fields are advisory only. They do not enable PPE, billing, payout, rental pricing, or paid events.

Example input

{
"packages": [
{ "ecosystem": "npm", "name": "lodash", "version": "4.17.20", "label": "lodash" },
{ "ecosystem": "PyPI", "name": "django", "version": "3.2.0", "label": "Django" }
],
"minimumSeverity": "MEDIUM",
"snapshotKey": "OPEN_SOURCE_VULN_SNAPSHOT",
"saveSnapshot": true
}

Quick-Start Presets

Copy one of these low-cost JSON inputs into the Apify input editor and replace the package list with the dependencies you actually ship:

  • examples/presets/npm-production-risk-watch.json: three common npm production dependencies, HIGH threshold, saved snapshots, and a small advisory cap.
  • examples/presets/python-web-stack-watch.json: three Python web-stack dependencies, HIGH threshold, saved snapshots, and a small advisory cap.
  • examples/presets/cross-ecosystem-sbom-sample.json: a compact npm/PyPI/Maven sample for teams that want to test cross-ecosystem SBOM-style monitoring before expanding the list.

Each preset keeps the first run to 3 packages or fewer and enables saveSnapshot so scheduled runs can separate new or modified advisories from baseline rows.

Local validation

npm install
npm test
npm run sample
npx apify-cli validate-schema .actor/input_schema.json
npm pack --dry-run --json