name: threat-intel-monitor description: Continuous threat intelligence monitoring agent for DevSecOps. Monitors CISA KEV (Known Exploited Vulnerabilities), OSV.dev, NVD, and GitHub Advisory Database for newly disclosed CVEs, then cross-references them against dependency inventories from previously analyzed repositories to detect exposure. Use when asked to check for new threats, monitor CVEs, run a threat intel scan, detect new vulnerabilities affecting monitored repos, or schedule recurring vulnerability monitoring. Part of the GRIMSEC DevSecOps agent suite. Integrates with devsecops-repo-analyzer inventory outputs. license: MIT metadata: author: cambamwham2 version: '1.0' suite: GRIMSEC integrates_with: devsecops-repo-analyzer, vulnerability-context-enricher, cicd-pipeline-auditor
Threat Intel Monitor
When to Use This Skill
Use this skill when the user asks to:
- Check for new high-severity CVEs or newly disclosed vulnerabilities
- Monitor threat intelligence feeds (CISA KEV, OSV, NVD)
- Determine if previously analyzed repos are exposed to new threats
- Set up scheduled/recurring CVE monitoring (daily, weekly)
- Run a one-time exposure check against current dependency inventories
- Get a threat intel briefing or exposure report
This skill is part of the GRIMSEC DevSecOps agent suite and works downstream of:
- devsecops-repo-analyzer — produces
inventory.jsonfiles per repo - vulnerability-context-enricher — enriches individual CVEs with EPSS, CVSS, KEV status
- cicd-pipeline-auditor — audits CI/CD pipeline security
Skill Overview
The threat-intel-monitor performs a three-phase pipeline:
Phase 1: Threat Ingestion
└─ CISA KEV feed → filter by date
└─ OSV.dev batch API → query all monitored deps
└─ NVD API v2 → enrich critical findings
Phase 2: Exposure Cross-Reference
└─ Load all inventory.json files from monitored repos
└─ Match CVE-affected packages against installed versions
└─ Classify exposure: EXPOSED / POTENTIALLY_EXPOSED / NOT_AFFECTED
Phase 3: Report Generation
└─ JSON threat intel report
└─ Markdown executive summary
└─ (Optional) dashboard update or notification
Instructions
One-Time Threat Check
Run the check-threats.py script:
cd /home/user/workspace
python threat-intel-monitor/scripts/check-threats.py \
--lookback 7d \
--inventory-dir devsecops-analysis/ \
--output-dir devsecops-analysis/threat-intel/
Lookback options:
1d— last 24 hours (for daily scheduled runs)7d— last 7 days (default, good for weekly monitoring)30d— last 30 days (initial baseline scan)
The script will:
- Download and cache the CISA KEV JSON feed locally
- Load all
inventory.jsonfiles from--inventory-dir - Query OSV.dev batch API for all discovered dependencies
- Optionally enrich with NVD data for CRITICAL findings
- Write the JSON report and markdown summary to
--output-dir
Output files:
{date}-report.json— structured JSON with full threat data{date}-summary.md— human-readable markdown summary
Setting Up Scheduled/Recurring Monitoring
Use Perplexity Computer's schedule_cron capability to run this automatically:
Daily monitoring (runs at 6:00 AM UTC every day):
Schedule: 0 6 * * *
Command: python /home/user/workspace/threat-intel-monitor/scripts/check-threats.py --lookback 1d --inventory-dir /home/user/workspace/devsecops-analysis/ --output-dir /home/user/workspace/devsecops-analysis/threat-intel/
Weekly monitoring (runs every Monday at 7:00 AM UTC):
Schedule: 0 7 * * 1
Command: python /home/user/workspace/threat-intel-monitor/scripts/check-threats.py --lookback 7d --inventory-dir /home/user/workspace/devsecops-analysis/ --output-dir /home/user/workspace/devsecops-analysis/threat-intel/
To set up via agent: Ask the agent to schedule the cron job, providing the command above. The agent will use the schedule_cron tool from the Computer platform.
Interpreting Results
Exposure Status Values
| Status | Meaning | Action Required |
|---|---|---|
EXPOSED | Installed version is within the affected range | Immediate — patch or mitigate |
POTENTIALLY_EXPOSED | Version range could not be precisely determined | Urgent — manual verification needed |
NOT_AFFECTED | Installed version is outside affected range | No action needed |
Threat Priority
Threats are classified by combining CVE severity and exploit status:
| Priority | Criteria |
|---|---|
| P0 — CRITICAL | CISA KEV + CRITICAL CVSS + ransomware use |
| P1 — HIGH | CISA KEV + any severity, or CRITICAL CVSS without KEV |
| P2 — MEDIUM | HIGH CVSS, not in KEV |
| P3 — LOW | Medium/Low CVSS |
Always treat CISA KEV entries as highest priority — these are actively exploited in the wild.
Summary Fields
{
"total_new_threats": 15, // Total CVEs from all sources in lookback window
"threats_affecting_monitored_repos": 2, // CVEs that match at least one monitored dep
"repos_with_exposure": 1, // Distinct repos with at least one EXPOSED status
"critical_exposures": 1, // EXPOSED findings with CRITICAL severity
"high_exposures": 1 // EXPOSED findings with HIGH severity
}
Adding New Repos to Monitoring
The monitor automatically picks up any repo that has been analyzed with devsecops-repo-analyzer. To add a new repo:
-
Run
devsecops-repo-analyzeron the repo:Analyze repo: https://github.com/org/new-repoThis produces
/home/user/workspace/devsecops-analysis/new-repo/inventory.json -
The next threat intel scan will automatically include it — no additional configuration needed.
Manual inventory: If you want to add a repo without running the full analyzer, create a minimal inventory.json:
{
"repo": "my-repo",
"analyzed_at": "2026-03-24T00:00:00Z",
"dependencies": {
"npm": [
{"name": "express", "version": "4.18.2", "ecosystem": "npm"},
{"name": "lodash", "version": "4.17.21", "ecosystem": "npm"}
],
"pip": [
{"name": "django", "version": "4.2.0", "ecosystem": "PyPI"}
]
}
}
Script Reference
check-threats.py Arguments
| Argument | Default | Description |
|---|---|---|
--lookback | 7d | Time window: 1d, 7d, or 30d |
--inventory-dir | devsecops-analysis/ | Root dir containing per-repo subdirs with inventory.json |
--output-dir | devsecops-analysis/threat-intel/ | Where to write reports |
--nvd-api-key | None | Optional NVD API key (increases rate limit to 50 req/30s) |
--no-nvd | False | Skip NVD enrichment entirely (faster) |
--cache-dir | /tmp/threat-intel-cache/ | Local cache for CISA KEV and other feeds |
--severity | HIGH,CRITICAL | Minimum severity filter (comma-separated) |
--verbose | False | Enable verbose logging |
Environment Variables
| Variable | Description |
|---|---|
NVD_API_KEY | NVD API key (alternative to --nvd-api-key) |
GITHUB_TOKEN | GitHub PAT for GitHub Advisory Database queries |
THREAT_INTEL_CACHE_DIR | Override default cache directory |
References
For detailed documentation on each intel source, see:
references/threat-intel-sources.md— Source documentation, rate limits, field definitions, and interpretation guidance
Ecosystem Support
The following package ecosystems are supported for OSV.dev cross-referencing:
| Ecosystem | Inventory Key | Lock File |
|---|---|---|
| npm / yarn | npm | package-lock.json, yarn.lock |
| PyPI | pip | requirements.txt, Pipfile.lock |
| Go | go | go.sum |
| Maven | maven | pom.xml |
| Cargo | cargo | Cargo.lock |
| RubyGems | rubygems | Gemfile.lock |
| NuGet | nuget | packages.lock.json |
Integration with Other GRIMSEC Skills
devsecops-repo-analyzer
└─ Produces: inventory.json (dependency list per repo)
│
▼
threat-intel-monitor ◄── (this skill)
└─ Reads: inventory.json files
└─ Queries: CISA KEV, OSV, NVD, GitHub Advisories
└─ Produces: {date}-report.json, {date}-summary.md
│
▼
vulnerability-context-enricher
└─ Reads: threat-intel report
└─ Enriches: EPSS scores, CVSS vectors, patch availability
└─ Produces: enriched CVE profiles
Run devsecops-repo-analyzer first to build inventories, then threat-intel-monitor to check exposure against current threat feeds.