Know about security patches before the CVE drops.
View Live Site | Subscribe via RSS
A monitoring hub that watches popular open-source repositories and uses AI to detect when commits are patching security vulnerabilities - often before a CVE is even assigned. Findings are published to a retro-themed website with an RSS feed.
This project is an example usage of spaceraccoon/vulnerability-spoiler-alert-action by Eugene Lim (@spaceraccoon).
The original concept and research is documented in the blog post Discovering Negative Days: LLM Workflows for Vulnerability Research, which explores using LLMs to identify security patches before CVEs are assigned - turning the typical "zero-day" into a "negative-day" by catching vulnerabilities in the window between the fix landing and public disclosure.
Every 6 hours
|
v
+-------------------------------------------+
| GitHub Actions Cron |
+-------------------------------------------+
|
v
+-------------------------------------------+
| vulnerability-spoiler-alert-action |
| scans repos listed in the workflow |
+-------------------------------------------+
|
v
+-------------------------------------------+
| Claude AI / OpenAI analyzes each diff |
| - Is this a security patch? |
| - What vulnerability does it fix? |
| - Can we write a PoC exploit? |
+-------------------------------------------+
|
v
+-------------------------------------------+
| Create GitHub Issue with full analysis |
+-------------------------------------------+
|
v
+-------------------------------------------+
| Rebuild website + RSS |
| Deploy to GitHub Pages |
+-------------------------------------------+
| Project | Repository |
|---|---|
| Express | expressjs/express |
| Node.js | nodejs/node |
| Django | django/django |
| Flask | pallets/flask |
| Rails | rails/rails |
| Apache HTTPD | apache/httpd |
| nginx | nginx/nginx |
| Grafana | grafana/grafana |
Add labels to issues to classify findings:
| Label | Meaning |
|---|---|
true-positive |
Confirmed vulnerability - shown with a green "CONFIRMED" badge on the site |
false-positive |
Not a real vulnerability - dimmed and moved to a collapsible section |
The site automatically rebuilds when labels are added or removed.
Click the Fork button at the top right.
Go to Settings > Secrets and variables > Actions and add either:
| Secret | Description |
|---|---|
ANTHROPIC_API_KEY |
Your Claude API key from console.anthropic.com |
OPENAI_API_KEY |
Your OpenAI API key from platform.openai.com |
The GITHUB_TOKEN is provided automatically by GitHub Actions. You only need to add the key for the AI provider you intend to use.
Update monitor.yml to specify your preferred provider and model.
Go to Settings > Pages and set source to GitHub Actions.
Go to the Actions tab and enable workflows. The monitor runs every 6 hours automatically.
You can trigger it manually via Actions > Monitor Vulnerabilities > Run workflow.
Edit the repositories JSON array in .github/workflows/monitor.yml to add or remove repositories.
By default, the monitor runs every 6 hours. Edit the cron expression in .github/workflows/monitor.yml:
schedule:
- cron: '0 */6 * * *' # Every 6 hours- Zero dependencies - the site build script uses only Node.js built-in APIs
- Static site - plain HTML + RSS, deployed via GitHub Pages
- GeoCities theme - because security advisories deserve the Web 1.0 treatment
MIT License - see LICENSE for details.
This tool is for defensive security research and authorized security testing only. Always follow responsible disclosure practices.