Making security vulnerabilities a thing of the past, one package at a time.
This project provides a comprehensive engine for automatically detecting, analyzing, and remediating security vulnerabilities across the world's top 5 package managers. Each library has a single, powerful engine file that handles scanning, analysis, auto-fixing, and JSON reporting.
Mission
To provide the open-source community with ready-to-use tools that automatically mitigate security alerts and reduce risks from known vulnerabilities. If these scripts prove effective in handling tested vulnerabilities, the project will expand to cover additional package managers until vulnerabilities become nothing more than a distant memory.
Supported Package Managers
| Package Manager | Language/Platform | Engine File | Status |
|---|
| npm | JavaScript/Node.js | engines/npm-engine.sh | ✅ Active |
| pip | Python | engines/pip-engine.sh | ✅ Active |
| Maven | Java | engines/maven-engine.sh | ✅ Active |
| Composer | PHP | engines/composer-engine.sh | ✅ Active |
| Cargo | Rust | engines/cargo-engine.sh | ✅ Active |
Quick Start
Prerequisites
- Linux/macOS/WSL environment
- Bash 4.0+
- Target package manager installed
- Internet connection for vulnerability databases
Installation
# Clone the repository
git clone https://github.com/yourusername/universal-security-remediation-engine.git
cd universal-security-remediation-engine
# Make engines executable
chmod +x engines/*.sh
# Run security scan for your project
./engines/npm-engine.sh /path/to/your/project
How It Works
Each engine follows a 4-phase security remediation pipeline that completes in seconds:
Phase 1: Detection
- Scans project dependencies
- Identifies known vulnerabilities
- Cross-references with CVE databases
- Assigns severity scores
Phase 2: Analysis
- Analyzes vulnerable package versions
- Finds safe replacement versions
- Checks compatibility constraints
- Generates upgrade recommendations
- Automatically updates vulnerable packages
- Applies security patches
- Runs integrity checks
- Validates fixes
Phase 4: Reporting
- Generates comprehensive JSON reports
- Provides human-readable summaries
- Tracks remediation success rates
- Archives in
reports/ directory
Usage Examples
NPM Projects
./engines/npm-engine.sh ~/my-node-project
Python Projects
./engines/pip-engine.sh ~/my-python-app
Java/Maven Projects
./engines/maven-engine.sh ~/my-java-service
PHP/Composer Projects
./engines/composer-engine.sh ~/my-laravel-app
Rust/Cargo Projects
./engines/cargo-engine.sh ~/my-rust-binary
Why This Project Matters
For Developers
- Save Time: Automated security fixes instead of manual updates
- Stay Secure: Continuous vulnerability monitoring
- Peace of Mind: Know your dependencies are safe
For Organizations
- Reduce Risk: Proactively address security vulnerabilities
- Compliance: Meet security audit requirements
- Cost Effective: Free, open-source solution
- Collective Security: Everyone benefits from shared tools
- Transparency: Open-source security is better security
- Innovation: Build on a foundation that evolves
How to Contribute
We welcome contributions from the community! Here's how you can help:
1. Test Existing Engines
Run the engines on your projects and report:
- Success stories
- Edge cases
- Compatibility issues
- Performance metrics
2. Add New Package Managers
Want to add support for another package manager? Follow these steps:
# 1. Create a new engine file
cp engines/template-engine.sh engines/newpm-engine.sh
# 2. Implement the 4 phases:
# - detect_vulnerabilities()
# - analyze_packages()
# - apply_remediation()
# - generate_report()
# 3. Test thoroughly
./engines/newpm-engine.sh /path/to/test/project
# 4. Submit a pull request
3. Improve Existing Engines
- Optimize scanning algorithms
- Add support for new vulnerability sources
- Enhance reporting formats
- Improve error handling
4. Documentation
- Add usage examples
- Translate documentation
- Create video tutorials
- Write blog posts
Testing Framework
We've made testing simple and comprehensive:
# Run full test suite
./test-all.sh
# Test specific engine
./test-engine.sh npm
# Test with sample vulnerable project
./engines/npm-engine.sh tests/vulnerable-npm-project
Test Requirements
Each engine must pass 4 critical tests:
- ✅ Detection Accuracy: Find all known vulnerabilities
- ✅ Safe Remediation: Only apply verified fixes
- ✅ Report Generation: Produce valid JSON output
- ✅ Speed: Complete scan in < 30 seconds
Understanding Reports
Reports are saved in reports/ directory with the following structure:
{
"timestamp": "2026-02-17T14:30:00Z",
"project_path": "/home/user/my-project",
"package_manager": "npm",
"vulnerabilities_found": 12,
"vulnerabilities_fixed": 10,
"vulnerabilities_remaining": 2,
"severity_breakdown": {
"critical": 2,
"high": 4,
"medium": 5,
"low": 1
},
"packages_updated": [
{
"name": "lodash",
"from": "4.17.20",
"to": "4.17.21",
"severity": "high",
"cve": "CVE-2021-23337"
}
],
"execution_time": "8.3s",
"success_rate": "83.33%"
}
Security Alert Mitigation
GitHub Security Alerts
When you receive a GitHub security alert:
Run the appropriate engine
./engines/npm-engine.sh .
Review the generated report
cat reports/npm-report.json
Commit the fixes
git add .
git commit -m "security: auto-remediate vulnerabilities"
git push
Verify alert resolution
GitHub will automatically close resolved security alerts
Project Roadmap
Phase 1: Core Engines (Current)
- ✅ NPM support
- ✅ PIP support
- ✅ Maven support
- ✅ Composer support
- ✅ Cargo support
Phase 2: Expansion
- [ ] NuGet (.NET)
- [ ] RubyGems (Ruby)
- [ ] Go Modules (Go)
- [ ] CocoaPods (iOS)
- [ ] Gradle (Android/Java)
Phase 3: Advanced Features
- [ ] CI/CD integration
- [ ] Scheduled automated scans
- [ ] Slack/Discord notifications
- [ ] Web dashboard
- [ ] API endpoints
Phase 4: Enterprise Features
- [ ] Multi-project support
- [ ] Organization-wide reporting
- [ ] Custom policy enforcement
- [ ] Compliance tracking
License
MIT License - see LICENSE file for details
Acknowledgments
This project stands on the shoulders of:
- All package manager security teams
- CVE database maintainers
- Open-source security researchers
- Our amazing contributors
Join the Movement
Together, we can make security vulnerabilities a thing of the past.
⭐ Star this repo if you believe in a more secure future
Fork it to add your own improvements
Share it with your team and community
Made with ❤️ by the open-source community
Last updated: February 17, 2026