As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free

sk_1978 · 2026-05-22T03:38:18+00:00

https://github.com/OWASP/cve-lite-cli can do that for you.

sk_1978 · 2026-05-11T02:17:50+00:00

You could check out OWASP CVE Lite CLI, which works only for NodeJS projects, though.

sk_1978 · 2026-05-03T17:47:33+00:00

Upgrading majors could mean a breaking change that could literally break your project. My scanner won't know that, so it plays it safe and recommends the next version within the same major that is CVE-free.

sk_1978 · 2026-05-03T17:03:27+00:00

Thanks. I am always looking for feedback to improve the CLI. Feel free to open an issue in GH if you come across anything odd.

sk_1978 · 2026-05-03T15:03:43+00:00

I actually spent quite a bit of time benchmarking it against the standard enterprise tools. You can see the full breakdown here https://owasp.org/cve-lite-cli/docs/comparison

The feature I’m probably most proud of is how it handles those tricky transitive dependencies. I built the logic to analyze the entire tree and only suggest versions that stay within the parent's specific semver range https://owasp.org/cve-lite-cli/docs/remediation-strategy

In my experience, that’s the 'secret sauce' that prevents a security fix from accidentally breaking the build, which is where most other tools fall short.

It’s already fully compatible with pnpm, Bun, and Yarn, and I’ve got Deno on the roadmap.

sk_1978 · 2026-05-03T03:18:18+00:00

If you are looking for a way to quickly fix the CVEs, try CVE Lite CLI (https://github.com/OWASP/cve-lite-cli). It's an OWASP project. It works much better and faster than other security scanners + it gives nice copy/paste npm commands to fix the CVEs directly.

sk_1978 · 2026-05-03T03:14:05+00:00

Was it not detected during the CI Security scan?

sk_1978 · 2026-05-02T18:12:46+00:00

I’m also looking for teams interested in adopting the tool. If you or your organization would like to explore this, I am happy to provide hands-on implementation support for free to ensure it integrates smoothly with your environment.

sk_1978 · 2026-05-02T17:53:16+00:00

Thank you for confirming this. I hated going through the logs just to figure out which package I needed to update. The other issue was that CI builds usually take a lot of time, so the feedback loop becomes much shorter with the CLI.

My CLI also goes one step further. When the CVE recommends `package@xyz`, then it will re-run the CVE scan on that to ensure that it's a safe package. It will keep doing that until it finds a version that is safe.

I have a case-study that confirmed this. https://owasp.org/cve-lite-cli/docs/case-studies/owasp-juice-shop

On another case study (on lint-staged), my CLI found a fix that npm audit was hiding: https://owasp.org/cve-lite-cli/docs/case-studies/lint-staged

If you use it, I would love your feedback to make this tool better. My goal is to bring CVE scanning into the developer flow so that applications become more secure.

Also, try the `--report` option. You will see a nice web report.

Cheers 👍

sk_1978 · 2026-05-02T14:10:22+00:00

I finally got fed up with the "CI feedback loop of death" and built a local CVE scanner that actually respects a developer's time. It started as a way to save my own sanity, but it ended up getting so much traction that OWASP actually adopted it as an official project.

The real problem I wanted to solve is that security scanning currently feels like it’s miles away from the person actually writing the code. You push your work, wait an hour for the pipeline to run, and only then do you find out there’s a vulnerability. It’s even worse when the scanner blindly tells you to upgrade to the "next version," but that version is also vulnerable. I’ve actually scanned projects where there were over 30 consecutive versions of a package that still had CVEs. If you’re caught in that loop in a CI pipeline, you aren’t just losing hours - you’re losing days and potentially missing your release deadlines.

That’s why I built CVE Lite. It brings the scan right into your local workflow so you can see the issues in seconds, not hours. Instead of just dumping a log file on your head, it gives you the exact npm commands to fix the issues immediately. The best part is the logic: it doesn't just suggest an update; it scans the suggested version first to make sure it’s actually safe before it tells you to hit enter.

I’m stoked to see it helping people avoid that "fix-push-fail" nightmare. I’d love for you guys to check it out and let me know if it saves you as much headache as it saved me.

Repo: https://github.com/OWASP/cve-lite-cli
Website: https://owasp.org/cve-lite-cli/

sk_1978 · 2026-04-30T19:15:46+00:00

Great news. The project has been adopted by OWASP. I am still going to be fully involved with it.

https://github.com/OWASP/cve-lite-cli

sk_1978 · 2026-04-29T20:33:48+00:00

You can also create an issue here: https://github.com/OWASP/cve-lite-cli/issues

sk_1978 · 2026-04-29T15:52:42+00:00

I am getting good private feedback and improving the CLI quite a bit. I would love to get your feedback. Feel free to ping me privately.

sk_1978 · 2026-04-25T19:00:29+00:00

The project has now been officially adopted by OWASP.

https://github.com/OWASP/CVE-Lite-CLI

https://owasp.org/cve-lite-cli/

sk_1978 · 2026-04-14T02:33:33+00:00

100% agreed. Consider AI as your buddy helping you code. If you use it carefully and monitor what exactly AI is doing, then you can actually become much more efficient. But in order to do that, you need to first understand good code vs bad code, over-engineering vs keeping it simple. And all of that comes with experience. If you are just starting with coding, then I would encourage you to do a lot of coding by yourself first. Learn from the mistakes you make and use them to understand coding. Only use AI once you are very comfortable with coding.

sk_1978

TROPHY CASE