Instant vulnerability rescans on new CVE disclosures
When new CVEs are published, affected projects are rescanned within minutes—not hours.
boring.tools now rescans your projects automatically whenever new vulnerabilities are published to the OSV database, rather than waiting for the next scheduled sweep. As soon as a sync run adds or updates a CVE, boring.tools identifies which of your projects include a package in the affected ecosystem and queues them for an immediate rescan. This typically means you’re notified about newly disclosed vulnerabilities within minutes of them being published.
To keep things efficient, only the most recent SBOM per project is targeted, and only when it actually contains a package that matches the newly affected ecosystem and package name. Every rescan triggered this way is recorded in your audit log with a triggered_by: osv_update marker, so you have a clear history of what was scanned and why.
This closes the gap between a CVE being disclosed and your team finding out whether you’re affected.