Overview
This section documents what AlertaVuln actually watches on your behalf. Everything in the matrix below is live today.

The web app ships full light and dark mode support across every page. Demo data.

The Enterprise Risk Matrix plots your open vulnerabilities by business impact against exploit likelihood, using CISA KEV and EPSS to rank the likelihood axis. Demo data.
Coverage matrix
Section titled “Coverage matrix”| Area | What it finds | How | Details |
|---|---|---|---|
| Dependencies (SCA) | Known CVEs affecting the packages you actually depend on, matched the moment they are announced | Tech stack derived from the manifests in your connected GitHub / Azure DevOps repos, enriched from NVD, GitHub Advisory, OSV and CISA KEV | Dependencies |
| Static code analysis (SAST) | Insecure code patterns in your source | Specialised code scanners, run locally by the CLI | av sast scan |
| Secrets | Committed credentials, tokens and keys | The scan series’ secret scanners, run locally | av sast scan |
| IaC misconfiguration | Misconfigured Terraform, Dockerfiles, Kubernetes manifests, Helm charts and similar | The infrastructure misconfiguration scanner | av sast scan |
| Licenses | Licence terms in the scanned tree, and each package’s registry licence metadata | A licence scanner over the tree (its own License finding category), plus registry metadata captured per package | av sast scan, Package health |
| Package health | Deprecated, unmaintained and stale packages, and newer versions available upstream | Public registry data across all eight supported ecosystems | Package health |
One verdict system
Section titled “One verdict system”Dependency alerts and code-scan findings share the same three-tier triage: every finding is RED, YELLOW or GREEN, with the reasoning attached. See the introduction for how the tiers work.
In this section
Section titled “In this section”Dependencies (SCA)Eight ecosystems, event-driven CVE matching, best-source enrichment.
Package healthDeprecations, staleness, licences and updates available - straight from the registries.