Open Source Vulnerability Monitor
Pricing
Pay per usage
Open Source Vulnerability Monitor
OSV vulnerability monitor for public open-source package advisory changes, severity filters, and fix-aware alerts.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
X L
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
2 days ago
Last modified
Categories
Share
Monitor public OSV vulnerability advisories for open-source packages and emit only meaningful new or modified advisory alerts.
What it does
- Checks package names across ecosystems such as npm, PyPI, Maven, Go, crates.io, NuGet, Packagist, RubyGems, and Debian.
- Uses the public OSV API; no GitHub token or vendor account is required for the core workflow.
- Provides public OSV package advisory monitoring only, using public OSV advisory data; it does not scan private repositories or read private dependency manifests.
- Hydrates advisory details, severity, aliases, references, affected ranges, affected versions, fixed versions, published time, and modified time.
- Carries the watched package version when provided, so alerts can show whether a specific deployed version is being checked.
- Compares against prior snapshots to separate
new,modified, andunchangedadvisories. - Writes dataset rows plus
SUMMARY,ALERTS,SNAPSHOTS, and a MarkdownREPORT. - Adds commercial review fields such as
monetizationFit,paidEventCandidate,supportRisk, andsuggestedPricingModelfor later PPE review.
Good use cases
- Security teams tracking vulnerable open-source dependencies.
- Developer-platform teams watching critical packages in templates and SDKs.
- Agencies monitoring dependency risk for multiple clients.
- Compliance teams needing repeatable public-source advisory evidence.
Monetization boundary
First release should be free or usage-cost-only. Future PPE should charge only for completed matched-vulnerability-advisory events where an advisory is new or modified and meets the configured severity threshold. Rows include fixAvailable and fixedVersions, which makes the alert more actionable without claiming to replace a full SCA or remediation workflow.
Do not charge for baseline unchanged rows, packages with no matching advisories, invalid inputs, API errors, or snapshot-only persistence.
The commercial fields are advisory only. They do not enable PPE, billing, payout, rental pricing, or paid events.
Example input
{"packages": [{ "ecosystem": "npm", "name": "lodash", "version": "4.17.20", "label": "lodash" },{ "ecosystem": "PyPI", "name": "django", "version": "3.2.0", "label": "Django" }],"minimumSeverity": "MEDIUM","snapshotKey": "OPEN_SOURCE_VULN_SNAPSHOT","saveSnapshot": true}
Quick-Start Presets
Copy one of these low-cost JSON inputs into the Apify input editor and replace the package list with the dependencies you actually ship:
examples/presets/npm-production-risk-watch.json: three common npm production dependencies,HIGHthreshold, saved snapshots, and a small advisory cap.examples/presets/python-web-stack-watch.json: three Python web-stack dependencies,HIGHthreshold, saved snapshots, and a small advisory cap.examples/presets/cross-ecosystem-sbom-sample.json: a compact npm/PyPI/Maven sample for teams that want to test cross-ecosystem SBOM-style monitoring before expanding the list.
Each preset keeps the first run to 3 packages or fewer and enables saveSnapshot so scheduled runs can separate new or modified advisories from baseline rows.
Local validation
npm installnpm testnpm run samplenpx apify-cli validate-schema .actor/input_schema.jsonnpm pack --dry-run --json