Skip to main content
Make dependency vulnerabilities a solved problem. This scheduled automation runs your security scanners weekly (npm audit, pip-audit, cargo audit, or trivy), cross-references findings against known CVEs, files tickets for each unique vulnerability, and — where a safe upgrade exists — opens patch PRs automatically.

Use this template

Open Security Vulnerability Scan in Devin and create the automation with the default configuration. You can customize it before saving.

What this automation does

The Security Vulnerability Scan automation gives you a recurring baseline security posture without dedicating an engineer to it. Devin runs the scan, deduplicates findings across packages, prioritizes by CVSS score, and distinguishes between “upgrade to a safe version” (auto-fix) and “no clean fix available” (ticket for human review).

How it works

Trigger: Schedule eventrecurring
  • Event: schedule:recurring
    • Conditions:
      • rrule matches FREQ=WEEKLY;BYDAY=TU;BYHOUR=9;BYMINUTE=0
What Devin does: Starts a session with full event context, executes the prompt below, and (optionally) notifies you on failure.

Prerequisites

Example prompt

The template ships with this prompt. You can edit it after clicking Use template, or leave it as-is.

Setting it up

  1. Open Automations → Templates in Devin.
  2. Click Security Vulnerability Scan. The create page opens with this template pre-filled.
  3. Connect any required integrations and install MCP servers if you haven’t already.
  4. Replace any placeholder values in the trigger conditions (for example, swap your-org/your-repo for your actual repo).
  5. Review the prompt and adjust it for your team’s language, conventions, and guardrails.
  6. Click Create automation.
Most automation templates include suggested ACU and invocation limits to bound cost during early rollout. Keep them as-is until you’re confident in the automation’s behavior, then raise them to fit your workload.

When to use this template

  • Compliance regimes (SOC 2, ISO 27001) that require documented vulnerability management
  • Enterprises with large dependency surfaces across many repos
  • Teams that installed Dependabot once and now ignore the 400 open PRs
  • Proactive security hygiene for security-sensitive products

Customization ideas

  • Pick your scanner — npm audit, pip-audit, trivy, grype, or your internal SCA
  • Route high-severity findings to a separate high-priority queue
  • Integrate with your compliance/GRC platform
  • Combine with Dependency Vulnerability Scanner for deeper GitHub Security Advisories coverage

See also