NewGitZoid now watches security and reports your week
All posts
SecurityJun 12, 2026·4 min read

What a bounded weekly Repo Watch looks like

GZ
GitZoid Team
Engineering
Security/gitzoid

Security tooling tends to fail in one of two directions. Either it is silent until an incident, or it is so loud that the alerts become wallpaper. GitZoid's Security Watch sits between those failures.

Two scans, one weekly report

Every day, a dependency scan checks your manifests against public vulnerability data for newly disclosed CVEs, packages that have reached end of life, and permission changes that widen the blast radius of a workflow. Once a week, a deeper pass reads the code itself for authorization holes, leaked secrets, and backdoors, the classes a dependency scanner cannot see.

The report arrives once a week. That cadence is deliberate. A daily security email becomes noise within a fortnight. A weekly Repo Watch stays readable because it is bounded: a short, ranked list of what actually changed in your risk surface.

Ranked, not dumped

A typical Repo Watch looks like this:

SeverityFindingWhat to do
CriticalAn admin route that skips the auth check, with the exact file and lineFix before the next release
MediumA new CVE in a direct dependencyMove to the safe version listed
MediumA package that has reached end of lifePlan a replacement
ClearNo leaked credentials in the week's diffsNothing to do

The point is the order. The first line is the one thing to act on. Everything below it is context, not a queue of forty findings to triage.

High-severity only, on purpose

Security Watch does not report style. It does not report theoretical issues with no path to exploitation. It reports the changes that move your real risk, and it stops there. The discipline of a bounded report is what keeps it from becoming another channel you mute.

Put a patrol on your repo.

The first review posts on your next pull request.

Try GitZoid