Security Report
Track dependency vulnerabilities and CVE findings over time with automated health reports — surfaced in the Dev Herald dashboard and delivered to Slack.
What you’ll get
When CVE scanning is enabled, each health report includes:
- Vulnerability counts by severity (critical, high, medium, low)
- Per-advisory details — advisory ID, affected package, version, and description (when
cve-detailis enabled) - Deltas against the previous report — new findings, resolved issues, and severity changes
Enable CVE scanning
Set cve-detail to "true" on the dev-herald/health action and provide your lockfile path:
- name: Upload health data
uses: dev-herald/health@v1
with:
api-key: ${{ secrets.DEV_HERALD_API_KEY }}
lockfile-path: ${{ github.workspace }}/pnpm-lock.yaml
cve-detail: "true"
workflow-run-url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}With cve-detail: "false" (the default), Dev Herald sends aggregate vulnerability counts under signals.dependencies.vulnerabilities but not the per-advisory cve signal. Set "true" when you want full advisory details in the dashboard and Slack.
CVE signal
When detail scanning is enabled, the ingest payload includes a cve signal with per-advisory findings split by production and development scope. See the API Reference for the full schema, or Signals for a conceptual overview.
PR-level CVE scanning
For per-PR dependency visibility (not just scheduled health reports), use the DEPENDENCY_DIFF or NEW_DEPENDENCY signals with enable-cve: 'true' in your PR comment workflow.
See Dependency Comments for setup.
Recommended schedule
Run security scans on a regular cadence — weekly is a good starting point:
on:
schedule:
- cron: '0 9 * * 1' # Every Monday at 9:00 UTC
workflow_dispatch:Pair with Weekly Slack Report setup to deliver findings to your team automatically.
Next steps
- Quick Start — Get health reporting running in CI
- Cleanup with Cursor — Turn CVE findings into remediation work