Continuous Monitoring

SaaS scanner integrated with the repo. Every lockfile change triggers a scan; SAST findings (SQL injection, template literals, etc.) appear inline in PR review.

grype + pip-audit + cargo-audit + bun pm audit across all lockfiles. Posts a structured summary to the security audit channel.

grype --only-fixed runs against 9 lockfile targets (root + portal + marketplace + licensing dashboard + 4 Python projects + 2 Cargo projects) before any release tag is published. Documented in CLAUDE.md.

Husky pre-commit runs typecheck + lint-staged (ESLint + Prettier for TS/TSX, Ruff for Python). Catches typing errors and policy violations before they merge.

All four package managers — npm (bun.lock), pypi (uv.lock), cargo (Cargo.lock), and bun's audit endpoint. Cross-checked across grype's NVD feed and Aikido's curated database.

CycloneDX SBOM enrichment tracks license per component. Suppression-report.md documents accepted exceptions with audit trail.

Aikido SAST. Findings published per release in CHANGELOG.md under the Security heading with issue IDs.

SHA-256 checksums per platform, generated in CI, published with every release.

Open critical / high / medium / low CVE counts per product, refreshed daily and per-release.

Download the CycloneDX JSON or HTML report for any release. 2,672 components currently tracked.

CHANGELOG entries call out CVE patches, dependency upgrades, and SAST resolutions per version.