Scan a lockfile for known vulnerabilities.

Reads a package lockfile (package-lock.json, requirements.txt, go.sum), queries NVD + GitHub Advisories, enriches with EPSS exploit probability, and returns a prioritized vulnerability report with fix recommendations.

By default, suppresses low-priority CVEs (EPSS < 10% and CVSS < 9). Set show_all=True to see every vulnerability.

Args: lockfile_path: Absolute path to the lockfile to scan. show_all: Show all vulnerabilities including low-priority ones.

Check a single package for known vulnerabilities.

Args: name: Package name (e.g. "express", "django", "golang.org/x/net"). version: Package version (e.g. "4.18.2", "3.2.0"). ecosystem: Package ecosystem — "npm", "PyPI", or "Go". Defaults to "npm". show_all: Show all vulnerabilities including low-priority ones.

Look up detailed information about a specific vulnerability.

Returns full details including severity, EPSS exploit probability, affected packages, fix versions, and references.

Args: cve_id: Vulnerability ID (e.g. "CVE-2024-29041", "GHSA-rv95-896h-c2vc").

Auto-detect and scan all lockfiles in a project directory.

Walks the project directory looking for lockfiles (package-lock.json, requirements.txt, go.sum, etc.) and scans each one. Skips node_modules, .git, and vendor directories.

By default, suppresses low-priority CVEs (EPSS < 10% and CVSS < 9).

Args: project_path: Path to the project root. Defaults to current directory. show_all: Show all vulnerabilities including low-priority ones.

Register a project for continuous vulnerability monitoring.

Scans the project's lockfiles, records the current vulnerability baseline, and stores a snapshot. Use check_alerts later to see new vulnerabilities that appeared since registration.

Args: project_path: Path to the project root. Defaults to current directory. project_name: Human-readable name for the project. Defaults to directory name.

Check for new vulnerabilities since the last scan of a monitored project.

Compares current vulnerability data against the stored baseline. Returns new vulnerabilities (not seen before) and resolved ones (previously known, no longer present).

Args: project_id: The project ID returned by monitor_project.

List all projects registered for vulnerability monitoring.

Shows project names, IDs, package counts, and registration dates.

Update a monitored project's dependency snapshot after upgrading packages.

Re-reads lockfiles from the project directory and updates the stored dependency list. Preserves vulnerability history: existing known vulns that still apply are kept; new vulns from upgraded deps are flagged; vulns from removed deps are marked resolved.

Args: project_id: The project ID to update. project_path: Path to the project root. Defaults to current directory.

Remove a project from vulnerability monitoring.

Deletes the stored dependency snapshot and vulnerability baseline.

Args: project_id: The project ID to remove.