Introduction
AlertaVuln watches the vulnerability feeds and scans the code you actually run - then tells you, in plain RED / YELLOW / GREEN, whether you’re exposed.

The vulnerabilities dashboard, shown here with demo data for a fictional organisation.
Event-driven, not scheduled
Section titled “Event-driven, not scheduled”Most tooling checks your dependencies when you run a pipeline. AlertaVuln inverts that: CVE announcements trigger scans of your connected repositories the moment they are published. When a new CVE lands that matches something in your stack, you get an alert - you don’t wait for the next nightly CI run to discover you’ve been exposed for hours.
Connected repositories are also rescanned automatically on a cadence (from every 24 hours on Free down to hourly on Enterprise), and you can trigger manual rescans at any time.
Three tiers, with reasoning
Section titled “Three tiers, with reasoning”Every finding is triaged into one of three tiers - and each verdict comes with the reasoning behind it, not just a severity number:
- RED - you are exposed and should act.
- YELLOW - potentially affected; read the reasoning and decide.
- GREEN - a CVE matched something in your stack, but you are not affected - and you can see why.
The point is signal, not noise: a GREEN alert tells you a bullet was dodged (and why), instead of paging you for something that never applied.
Organisations and projects
Section titled “Organisations and projects”Your work lives in an organisation, which contains projects. A project connects to one or more git repositories - GitHub and Azure DevOps are supported - and AlertaVuln derives your tech stack from the dependency manifests it finds there. You can also curate the stack by hand.
Plans scale from one project on Free up to unlimited projects, seats and child organisations on Enterprise. Team members sign in with Google or Microsoft single sign-on.
When an alert fires, it can reach you on all five notification channels: Slack, Microsoft Teams, Discord, Google Chat, and a generic webhook.
One intelligence, three surfaces
Section titled “One intelligence, three surfaces”- Web app - dashboards, alert triage, tech stack, webhooks, package health.
- CLI (
alertavuln, commonly aliased toav) - script project setup, vet packages before adopting them, run local code scans, and gate CI. - MCP server - expose AlertaVuln’s tools to your editor and agents.
All three read the same server-side intelligence, so the verdict is identical wherever you check.
Beyond CVE alerts
Section titled “Beyond CVE alerts”- Local code scanning (SAST) - run a series of specialised scans over a local path with the CLI, covering insecure code patterns, hard-coded secrets and infrastructure-as-code misconfigurations. Unlimited and free on every plan; your source never leaves the machine. Enterprise adds server-side “scan it for me” runs on connected repos.
- Package-health monitoring - deprecations and newer available versions for the packages you depend on.
- SBOM export and the Risk Matrix executive view on the higher tiers.
Next steps
Section titled “Next steps”- Install the CLI and run your first scan.
- Browse the CLI reference for every command and flag.