What a bounded weekly Repo Watch looks like
Security tooling tends to fail in one of two directions. Either it is silent until an incident, or it is so loud that the alerts become wallpaper. GitZoid's Security Watch sits between those failures.
Two scans, one weekly report
Every day, a dependency scan checks your manifests against public vulnerability data for newly disclosed CVEs, packages that have reached end of life, and permission changes that widen the blast radius of a workflow. Once a week, a deeper pass reads the code itself for authorization holes, leaked secrets, and backdoors, the classes a dependency scanner cannot see.
The report arrives once a week. That cadence is deliberate. A daily security email becomes noise within a fortnight. A weekly Repo Watch stays readable because it is bounded: a short, ranked list of what actually changed in your risk surface.
Ranked, not dumped
A typical Repo Watch looks like this:
| Severity | Finding | What to do |
|---|---|---|
| Critical | An admin route that skips the auth check, with the exact file and line | Fix before the next release |
| Medium | A new CVE in a direct dependency | Move to the safe version listed |
| Medium | A package that has reached end of life | Plan a replacement |
| Clear | No leaked credentials in the week's diffs | Nothing to do |
The point is the order. The first line is the one thing to act on. Everything below it is context, not a queue of forty findings to triage.
High-severity only, on purpose
Security Watch does not report style. It does not report theoretical issues with no path to exploitation. It reports the changes that move your real risk, and it stops there. The discipline of a bounded report is what keeps it from becoming another channel you mute.