selvo scans your packages for CVEs, ranks them by blast radius and exploit maturity, and tells you what to patch first. Not just a list — a prioritized action plan.
Every package ranked by how many other packages depend on it. A CVE in openssl matters more than one in a leaf package.
Flags packages in the CISA Known Exploited Vulnerabilities catalog and tracks whether exploits are weaponized, PoC, or theoretical.
Exploit Prediction Scoring System data on every CVE — the actual probability it gets exploited in the next 30 days.
Automatic breach/warn/ok bands based on CVE severity and days open. Know which patches are overdue before your auditor does.
Debian, Ubuntu, Fedora, Alpine, Arch, NixOS, Homebrew, Chocolatey, Winget, and more. One tool across your entire fleet.
Export results as SARIF for GitHub Code Scanning, VEX for compliance, or CycloneDX SBOM. Plug into your existing toolchain.
Scans your actual packages and sets up daily monitoring via cron.
curl -s https://selvo.dev/install.sh | SELVO_API_KEY=sk_xxx bash
Pipe your existing Grype or Trivy output into selvo for prioritized results.
- uses: sethc5/selvo-action@v1
Scan any Docker image for CVEs — no local install needed.
curl -X POST .../api/v1/scan/image -d '{"image":"nginx:latest"}'
Get notified when new CVEs hit your packages. Connects to Slack or any webhook URL.
POST /api/v1/orgs/{org}/webhooks {"url":"https://hooks.slack.com/..."}
Not just a CVE counter. A prioritized risk engine.
If Debian backported a fix into your version of zlib, we don't flag it. We cross-reference the Debian Security Tracker, Ubuntu USN, and Fedora Bodhi to remove CVEs your distro has already patched. Other scanners miss this and massively over-report.
Each package gets a composite score based on 9 weighted signals:
| Dependency blast radius | 22% |
| EPSS exploit probability | 20% |
| Chokepoint centrality | 15% |
| Version lag from upstream | 14% |
| CVSS severity | 10% |
| Exploit maturity (KEV/PoC/weaponized) | 8% |
| Ecosystem popularity | 7% |
| Download count | 2% |
| Days exposed | 2% |
Packages with no security signal are capped at 20. Runtime-loaded packages with CVEs get a 1.5x multiplier.
OSV.dev (CVE mapping) · FIRST.org EPSS (exploit probability) · NVD (CVSS scores) · CISA KEV (active exploits) · Debian Security Tracker · Repology (versions) · Ubuntu USN · Fedora Bodhi
SARIF (GitHub Code Scanning) · VEX (compliance) · NIST 800-53 OSCAL · FedRAMP High OSCAL · CycloneDX SBOM · JSON · HTML
Debian · Ubuntu · Fedora · Alpine · Arch · NixOS · Homebrew · Chocolatey · Winget
Start free. Upgrade when you need more scans.
Free tier — no credit card required.