Automated monitor for silent security patches — detects vulnerability fixes in major open-source projects before a CVE is publicly assigned, and checks whether those fixes are actually exploitable.
There's a dangerous window between when a security patch lands in source code and when it gets a CVE number. During this "negative-day" period, the vulnerability is effectively public (anyone can read the diff) but most defenders haven't acted yet. videt closes that gap by alerting you the moment a suspicious commit is detected — and telling you whether the fix is complete or still bypassable.
- A GitHub Action runs every hour
vulnerability-spoiler-alert-actionfetches recent commits from each monitored repo- Claude AI triages commits for security relevance, then a judge model verifies findings
- For confirmed findings,
scripts/bypass_analyzer.pyfetches the commit diff from GitHub and calls Claude Haiku to detect implementation flaws in the fix - Confirmed findings create a labeled GitHub Issue in this repo
- A Discord embed is sent with severity, type, commit link, issue link, and a Fix Quality field indicating whether the patch is complete or bypassable
Each Discord alert includes a Fix Quality assessment:
| Icon | Meaning |
|---|---|
| ✅ | Fix looks complete |
| Low bypass risk | |
| 🟡 | Possible bypass (with example) |
| 🔴 | Bypass likely (with example) |
| ❓ | Analysis unavailable |
See vulnerability-monitor.yml.
Fork this repo, then add two repository secrets under Settings → Secrets and variables → Actions:
| Secret | Value |
|---|---|
ANTHROPIC_API_KEY |
Your Anthropic API key from console.anthropic.com |
DISCORD_WEBHOOK_URL |
Webhook URL from your Discord server (see below) |
GITHUB_TOKEN is injected automatically by GitHub Actions — no configuration needed.
The workflow runs automatically on the next hour tick. You can also trigger it manually from the Actions tab.
- Open your Discord server → Server Settings → Integrations → Webhooks
- Click New Webhook, choose a channel, copy the URL
- Add it as the
DISCORD_WEBHOOK_URLsecret above
- GitHub Issues — one per confirmed finding, labelled
vulnerabilityandseverity:critical/high/medium/low - Discord embeds — colour-coded by severity (red → critical, orange → high, yellow → medium, green → low), linking to the issue and commit, with Fix Quality bypass analysis
All findings are AI-generated and advisory only. Verify independently before taking action. Expect false positives.