Skip to content
Notifly Notifly

New CVE in dependencies

AI projects typically pull in a huge pip graph (langchain, openai, torch, transformers, sentencepiece). CVEs appear in them regularly — but Dependabot emails get lost in the inbox.

The simplest way — Dependabot alerts via a GitHub webhook → Notifly webhook:

Окно терминала
# GitHub repo → Settings → Webhooks
# URL: https://your-notifly/webhook/W<token>?severity=critical,high
# Events: Dependabot alerts

Or — once a day locally:

.github/workflows/cve-watch.yml
on:
  schedule: [{cron: '0 6 * * *'}]
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: pip install pip-audit && pip-audit -r requirements.txt -f json > out.json || true
      - run: |
          n=$(jq '[.vulnerabilities[]] | length' out.json)
          if [[ $n -gt 0 ]]; then
            curl -fsS "$NOTIFLY_URL/message?token=$NOTIFLY_TOKEN" \
              -H "Content-Type: application/json" \
              -d "{\"title\":\"🛡️ pip-audit: $n CVE\",\"message\":\"$(jq -r '.vulnerabilities[] | "\(.id) — \(.fix_versions)"' out.json | head -10)\",\"priority\":8}"
          fi
        env: {NOTIFLY_URL: ${{ secrets.NOTIFLY_URL }}, NOTIFLY_TOKEN: ${{ secrets.NOTIFLY_TOKEN }}}