Who is using CVE Lite CLI? Share your use case

[sonukapoor]

If you are using CVE Lite CLI in your projects or at your company, we would love to hear about it.

Drop a comment below with:

• Where you use it — local dev, CI pipeline, pre-commit hook, security review workflow, etc.
• What lockfile / package manager — npm, pnpm, Yarn, Bun
• What problem it solved — anything from catching a specific CVE to making vulnerability scanning part of your daily workflow

No need for a long writeup — even a sentence or two helps.

This thread helps the community discover real-world adoption patterns and helps us understand where CVE Lite CLI is most useful. It also supports our goal of growing toward OWASP Lab Project status.

Thanks for being part of the project.

[ManuelRauber]

I'm using it for LehrGrapht. It runs exclusively in the CI pipeline with each run to check early if there is something wrong. For the normal pipelines that builds/deploys I'm using with fail-on: 'critical'. In another independent action that is exclusive for the CVE check, I let it fail on high.

[sonukapoor]

Thanks @ManuelRauber - Are you also using the CLI locally in your developer workflow?

[ManuelRauber]

Thanks @ManuelRauber - Are you also using the CLI locally in your developer workflow?

I only use the CLI in the CI pipeline, because it builds the final artifact that will be deployed. At that point I want to make sure it does not contain a critical CVE.

[alamb-hex]

CVE Lite is the third ScanSource in HexOps (https://github.com/Hexaxia-Labs/hexops) (our open source dev ops dashboard) alongside Grype and pnpm-audit. It runs on every project audit in local dev and CI across about 30 active projects, mostly pnpm with some npm.

Two concrete wins for us:

1. The postcss-under-Next case where npm audit fix --force wanted to downgrade Next.js but CVE Lite correctly identified the parent-pin floor as the right form of fix. That guidance held up across every subsequent re-resolution.

2. Your --offline-db fallback caught a silent-zero-findings bug in our wrapper code (live API timed out, no output file written, wrapper read empty as clean). We now run online-first with --offline-db fallback and throw on empty output. That fix surfaced a live qs CVE-2026-8723 that had been masked for weeks.

The remediation-first design and the parent-graph walking compose well with how we already think about dependency hygiene. Rooting for Lab status. It's earned.

Full writeup: https://labs.hexaxia.tech/blog/hexops-cve-lite-integration/

[luisoria]

I recently tested the CVE Lite CLI across several repositories and was thoroughly impressed by its efficiency. As a cybersecurity architect, I deal with dependency management and vulnerability analysis constantly, and what stood out to me most was how fast and precise the tool is at analyzing local lockfiles. Its ability to clearly map the dependency graph against OSV data and provide direct, actionable remediation paths for JS/TS projects is outstanding. It stays true to its 'lite' philosophy, avoiding the bloat of heavier platforms while delivering exactly what developers need in their workflow. I see this as a highly practical and valuable contribution to the OWASP ecosystem. It definitely has my full support on its path toward OWASP Lab graduation. Great work, Sonu and team!