OSS Pulse now pages PagerDuty when a critical CVE hits your dependencies

When OSS Pulse finds a critical CVE in your dependencies, you get:

1. An email (existing)
2. A Slack message (Enterprise existing)
3. A PagerDuty incident (new)

Option 3 is the one that wakes someone up at 3am. The other two are the ones you might see at 9am.

For a CVSS 9.8 vulnerability in a library running in your production API, 9am might be 6 hours too late.

How it works

Enterprise users configure a PagerDuty routing key via the API:

POST /account/pagerduty
{"routing_key": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4"}

When the CVE scanner finds an advisory with CVSS ≥ 7.0 against a watched repo, it:

1. Sends the immediate email
2. Fires the Slack webhook (if configured)
3. POSTs to events.pagerduty.com/v2/enqueue with the routing key

The PagerDuty payload uses Events API v2:

• event_action: trigger (creates a new incident)
• dedup_key: osspulse-{repo}-{ghsa_id} (prevents duplicate incidents)
• payload.severity: maps CVSS to critical/error/warning/info

Why dedup_key matters

The scanner runs every 4 hours. Without a dedup_key, the same CVE would create a new PagerDuty incident every 4 hours until it's resolved. The dedup_key is keyed to the repo + GHSA ID, so repeated scans of the same advisory update the existing incident rather than creating new ones.

Severity mapping

| CVSS range | PagerDuty severity | |---|---| | ≥ 9.0 | critical | | ≥ 7.0 | error | | ≥ 4.0 | warning | | < 4.0 | info |

OSS Pulse only pages for CVSS ≥ 7.0, so in practice you'll see critical or error alerts. The severity map is there for future configurability.

Why PagerDuty and not OpsGenie

Same reason as the CertWatch addition: broader install base in the DevSecOps and MSP space, simpler API (routing key in body, hardcoded endpoint). OpsGenie support would be a one-afternoon addition if there's demand.

OSS Pulse watches your open-source dependencies for CVEs, maintainer abandonment, and license changes. Weekly digest + real-time critical alerts via email, Slack, and PagerDuty (Enterprise). Currently accepting early access signups.