TL;DR
- CodeSlick has 306 security checks covering 56 CWEs — every one written against 2024–2025 attack patterns. New CVEs can make any check incomplete without the test suite ever turning red.
- We built CVE Coverage Guard: a weekly cron that fetches new high-severity CVEs from NVD, cross-references against our @cwe annotations, and auto-creates GitHub PRs (with Claude-generated test cases and check updates) for any gap found.
- First dry run: 254 CVEs processed, 2 real gaps surfaced — CVE-2026-40496 (CWE-330, CVSS 9.1) and CVE-2026-39462 (CWE-522, CVSS 8.1). Neither would have been caught by the existing test suite.
- The "automated" part is the suggestion. Merging is still a human decision — once a week.
The Problem Most SAST Tools Don't Fix
Static analyzers have a staleness problem. Not the kind that shows up in a test suite — the kind that doesn't.
CodeSlick's SQL injection check (CS-JS-008) detects direct string concatenation:
"SELECT * FROM users WHERE id = " + userId
It was written in 2024, against patterns common at the time. It passes 47 tests. All 47 are green.
But SQL injection via Prisma's $queryRawtemplate literal? Or via a query builder API that doesn't use string concatenation at all? Those are newer patterns. The check might not catch them. The tests don't cover them because the tests were written alongside the check.
A test suite verifies that a check works correctly against patterns it was written for. It doesn't verify that the check is still comprehensive against new patterns.
Security tools decay in silence. The CVEs keep coming, the checks don't update, and nothing in your CI turns red.
The Signal: CVEs
The NVD publishes new CVEs daily. Most are product-specific — irrelevant to a static analyzer. But a meaningful subset document code patterns: a new variant of SQL injection, a deserialization attack via a framework API, a CSRF bypass that exploits a missing header check. These map to CWEs — the same CWEs that CodeSlick's @cwe annotations track.
When NVD publishes a high-severity CVE for a CWE that CodeSlick covers but the check doesn't catch the new variant — that's a gap. And until now, nobody would have known.
How CVE Coverage Guard Works
Every Monday at 9 AM UTC, a cron job runs at /api/cron/cve-coverage-guard.
Fetch recent CVEs
Query NVD's API for the past 7 days of high-severity CVEs (CVSS ≥ 8.0). This week's run processed 254 CVEs.
Cross-reference @cwe annotations
CVE-2026-40496 → CWE-330 (Insufficient Randomness) → not in map → GAP CVE-2026-39462 → CWE-522 (Insufficiently Protected Credentials) → not in map → GAP CVE-2026-39109 → CWE-89 (SQL Injection) → in map → COVERED, skip
Try to extract vulnerable code
Three strategies in order: (1) scan the CVE description for fenced code blocks, (2) fetch GitHub commit diffs from CVE references, (3) scan reference URLs for PoC signals. Code extraction succeeds on roughly 30–40% of CVEs — the rest fall back to Issue-only mode.
Generate explanation + fix via Claude
Send CVE metadata, extracted code, and the current check file to Claude. Ask for: a plain-English explanation, an assessment of whether the current check catches it, a Vitest test case, and a minimal check addition. If confidence is below 95%, Claude returns empty code fields and the output falls back to Issue-only mode.
Create a PR or Issue
High confidence + code sample → GitHub PR with test case and check update, labelled auto-cve + needs-review. Low confidence or no code → GitHub Issue with the plain-English explanation.
First Dry Run: 254 CVEs, 2 Gaps
| Classification | Count |
|---|---|
| Covered (CWE in annotations) | ~100 |
| Skip (no CWE mapping in NVD) | ~152 |
| Gap (CWE in allowlist, not in annotations) | 2 |
The two gaps: CVE-2026-40496 (CWE-330, CVSS 9.1) and CVE-2026-39462 (CWE-522, CVSS 8.1). Neither would have been caught by the existing test suite.
2 gaps from 254 CVEs. That's the right signal-to-noise ratio for something reviewed by one person every Monday.
What This Doesn't Do
It doesn't auto-merge PRs.
Every auto-generated PR requires human review before anything lands in the analyzer. Claude generates a plausible-looking change but doesn't understand the full context of how the check fits into CodeSlick's architecture. The needs-review label is there for a reason. The "automated" part is the suggestion — the decision to merge, close, or investigate is yours, once a week.
It only watches CWEs it already knows about.
The system cross-references against 56 annotated CWEs. If a genuinely new vulnerability class appears that maps to no existing CWE in CodeSlick's list, it stays invisible until someone manually adds the annotation. This moves the maintenance burden — it doesn't eliminate it.
Miss detection is v2.
The current system only catches gaps — CWEs with no check at all. A harder problem is detecting when a check exists but doesn't catch a new variant. That requires running the analyzer against the CVE's code sample and comparing output. It's built into the design but deferred until gap detection is stable.
NVD is a lagging indicator.
Code extraction succeeds on roughly 30–40% of CVEs. The rest produce Issues, not PRs — useful for awareness but not immediately actionable without manual follow-up. Most CVEs are prose summaries, not code.
Why This Matters Beyond CodeSlick
Every SAST tool has this problem. The checks were written against known patterns. The patterns evolve. The tool doesn't keep up unless someone explicitly maintains the coverage — and that maintenance is invisible until it fails.
The @cweannotation approach is what makes this possible. Without structured metadata on each check — what CWE it covers, when it was last verified — there's no automated way to cross-reference new CVEs against existing coverage. The annotations aren't just documentation: they're the hook that makes the CVE feed integration work.
The takeaway
If you run a SAST tool and it doesn't have explicit CWE mappings on its checks, you have no way to know which new CVEs it's missing. That's a structural gap, not a tuning problem. The real test for CVE Coverage Guard is six months from now: do the auto-PRs land cleanly, reduce real misses, and keep the false-negative rate low?
See what's in your dependency tree
CVE Coverage Guard runs automatically as part of CodeSlick's infrastructure. The GitHub App covers your PRs and dependency tree — free tier: 1 repo, 20 PR analyses per month.
Install the GitHub App