Zorv | Autonomous AI CVE Patcher for Node.js & Python Dependencies
by OpenYF AIZORV
Get Lifetime Access<br>Run it locally or inside your CI/CD. 100% self-hosted. Zero subscription fees.
THE CORE PROBLEM<br>Why bots fall short
Traditional Dependency Bots Break Your Builds. You Clean Up the Mess.<br>Standard tools like Dependabot and Renovate are great at finding outdated packages, but they only do half the job. When they bump a major package version:<br>1. Breaks Tests<br>The package API changes, throwing errors and breaking your suite.
2. Blocks Backlog<br>The PR sits gathering dust, requiring developers to fix manually.
3. Triggers Alerts<br>Security teams continuously flag unresolved CVE security alerts.
Zorv fixes this by acting as an autonomous developer in your CI pipeline. When a package bump breaks your tests, Zorv analyzes the test failure, rewrites the obsolete API usage, verifies the tests pass, and opens a clean, merge-ready Pull Request.
QUICKSTART<br>See it in action
zorv-cli
$$ docker run --rm -v $(pwd):/workspace -e ZORV_LICENSE="your_license_key" yusgev2/zorv:latest scan --dir /workspace
AUTONOMOUS PATCHING LIFECYCLE<br>The loop that secures your codebase<br>Audit & Scan<br>Zorv scans your repository using npm audit to extract patchable CVEs and target package versions.
Surgical Version Bump<br>It creates a new isolated Git branch and surgically upgrades the package in package.json.
Sandboxed Execution & Isolation<br>Zorv installs dependencies and runs your test suite inside an isolated Bubblewrap Linux sandbox . This blocks network access for tests, prevents directory traversal, and ensures untrusted code cannot touch your host OS.
AI Auto-Fix Loop<br>If tests fail, Zorv feeds the test logs and errors into your configured LLM (Azure OpenAI, Anthropic, Gemini, etc.) to rewrite the obsolete or broken API usage. It automatically repeats this loop until tests pass.
Commit & Open Pull Request<br>Once the tests are 100% green, Zorv stages only the modified source files, commits them, and opens a clean, merge-ready Pull Request with a clear explanation and diff summary.
SECURITY FIRST<br>Why Zorv is different<br>100% Self-Hosted CLI & Docker
Zorv runs entirely on your infrastructure. Your proprietary source code never leaves your network, keeping you fully compliant with SOC2, GDPR, and HIPAA.
Bubblewrap Isolation
The LLM-generated code runs in a hardened sandbox. Zorv blocks internet access for the tests, prevents directory traversal attacks, and isolates the host system.
11+ LLM Providers Supported
Plug in your own API keys. Zorv natively supports Azure OpenAI, OpenAI, Anthropic, Gemini, Grok, Groq, Cohere, TogetherAI, OpenRouter, and local models.
SOC2 Auditable Logs
Zorv generates append-only, ISO 8601-compliant JSONL logs documenting every single file read, write, and command execution for clear compliance verification.
CI/CD INTEGRATION<br>Drop into GitHub Actions in 60 Seconds
.github/workflows/zorv.yml<br>name: Zorv Autonomous Patching
on:<br>schedule:<br>- cron: '0 8 * * 1' # Runs every Monday at 8 AM<br>workflow_dispatch:
jobs:<br>patch:<br>runs-on: ubuntu-latest<br>steps:<br>- name: Checkout Code<br>uses: actions/checkout@v4
- name: Run Zorv Patcher<br>run: |<br>docker run --rm \<br>--security-opt seccomp=unconfined \<br>-v ${{ github.workspace }}:/workspace \<br>-e ZORV_LICENSE=${{ secrets.ZORV_LICENSE }} \<br>-e LLM_PROVIDER=openai \<br>-e OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }} \<br>-e GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \<br>-e GITHUB_REPOSITORY=${{ github.repository }} \<br>yusgev2/zorv:latest scan --dir /workspace
FAQ<br>Frequently Asked Questions<br>Is my code sent to third-party services?+<br>What languages and frameworks are supported?+<br>How does the licensing work?+<br>What happens if the AI writes a bad fix?+
PROVIDERS<br>Works with
Mistral
Mistral