Terraform / OpenTofu / Nix / k8s manifest misconfiguration detection — open security groups, missing encryption, public S3/GCS, IAM wildcards, plaintext secrets, missing tags.
Search for exploits across all vulnerabilities with filtering by ecosystem, severity, source, and EPSS
IDS/IPS detection content for a CVE — Snort/Suricata-compatible rules, YARA signatures, ProjectDiscovery Nuclei templates, traffic-filter rules.
End-of-life detection for runtimes (Node, Python, Java, Go, .NET) and key packages — surfaces past-EOL items, items reaching EOL within 90 days, and EOL base images for…
Post-fix verification — re-scan the repo, gate on `--exploits weaponized --severity high`, recheck the specific CVE against the new installed version, write the verdict to…
Find the newest version of a package that is free of known vulnerabilities, capped by a `--max-major-bump` policy.
Typosquat and malicious-package detection across installed dependencies (or a single prospective addition) — cross-checks AI-malware family intelligence, package-name similarity…
Proactive secure-coding coach scoped to the file or topic you are working on — surfaces relevant SAST rule IDs, CWE patterns, language-specific PASS/FAIL code snippets.
Build a compliance bundle — CycloneDX SBOM, SPDX license report, SARIF findings, OpenVEX/CycloneDX VEX, optional cosign signatures, manifest.json with SHA-256 sums, Markdown…
Generate a runnable exploit-validation command (Nuclei template, Metasploit module hint, AI-assisted Python script, or curl-based PoC) against a user-specified authorised target.
Pre-add risk gate for a new dependency — composes vuln history (`vdb vulns`), AI-malware check (`vdb ai-malware`), license compatibility, EOL status, maintainer health,…
MITRE ATT&CK technique mapping for a CVE or every entry in `.vulnetix/memory.yaml`. Use when planning detection coverage gaps, mapping a CVE to defender controls, building an…
Generate CycloneDX 1.7 and/or SPDX 2.3 SBOMs for the repo, optionally cosign-signed, optionally cross-validated against syft output.
SOC daily-pull triage feed — Vulnetix''s score-driven queue cross-referenced with installed dependencies.
Generate OpenVEX / CycloneDX VEX attestations from `.vulnetix/memory.yaml` triage decisions, optionally sign with cosign, optionally upload to Vulnetix and post to a GitHub PR.
Dependency-conflict resolution when a `/vulnetix:fix` version bump fails — diagnose the peer-dep tree, find a compatible safe version set, propose package-manager overrides…
Hardcoded-secret detection — AWS keys, GitHub PATs, Slack tokens, Stripe keys, generic high-entropy strings. Pre-commit (`--staged-only`), explicit paths, or full repo.
End-to-end incident-response playbook for a CVE actively in the wild — confirms urgency via KEV/EPSS/sightings, pulls IOCs and ATT&CK chain, fetches detection rules for installed…
CISA + EU KEV (Known Exploited Vulnerabilities) catalog watch — pull recent KEV additions, intersect with installed dependencies, surface entries with imminent due dates.
Daily threat-intel digest — AI-discovered vulnerabilities, AI-in-the-wild exploitation observations, AI-authored malware families, exploit-trends rollup, vendor-trends…
IOC pivots for a CVE — top IPs, ASNs, geo distribution, ATT&CK technique chain, Shadowserver scan counts (1d/7d/30d/90d averages), CrowdSec community sightings, merged in-the-wild…
Static application security testing (SAST) for changed source files — Vulnetix''s built-in rule set plus optional Semgrep augmentation when `.semgrep` config is present.
Dockerfile / Containerfile / compose analysis plus optional Trivy / Grype / Syft composition when those binaries are present.
Detect installed security binaries (nuclei, snort, yara, semgrep, syft, grype, trivy, cosign, gh, package managers) and repo signals (manifests, Dockerfiles, IaC, CI configs);…
Analyze exploit intelligence for a vulnerability against the current repository
Look up a vulnerability by ID or list all vulnerabilities for a package
Security-focused code review for OpenSite/Toastability platform. Use when reviewing PRs for security issues, auditing new API endpoints, checking for HIPAA/SOC2 compliance…
License compliance checking and conflict detection