Supply Chain Intel (Continuous Watch)
Daily cross-reference of every submitted SBOM against OSV and CISA KEV, with smart re-notify on KEV bumps, severity escalations, and fix availability.
WASViking® Supply Chain Intel runs Continuous Watch over every SBOM your organization has submitted. SBOMs land in the inventory once and are re-evaluated every day against the latest advisories. No re-scan or re-submission needed.
This is the page at Inventory → Supply Chain Intel in the portal.
What it does
Continuous Watch cross-references every SBOM you have submitted against OSV and CISA KEV every day. Each vulnerable component becomes a Finding with its own lifecycle.
Three concrete outcomes:
- Net new advisories published today are matched against every live SBOM you submitted in the past.
- Existing advisories that change (KEV listing, severity bump, fix released) trigger a fresh alert per the re-notify policy.
- Status hygiene: a vulnerable component shipped under the same
dedupe_keydoes not produce duplicate Findings; it updates the existing one.
How it works
Sources
| Source | What it brings |
|---|---|
| OSV.dev | Open Source Vulnerabilities database. Comprehensive coverage across npm, PyPI, Go, Maven, RubyGems, Composer, NuGet, and more. GHSA advisories arrive inside the OSV feed. |
| CISA KEV | Known Exploited Vulnerabilities catalog. Flags advisories that are confirmed in-the-wild exploitation. |
Ingestion is incremental: only new and modified advisories are pulled each cycle. Both feeds are public; no customer data leaves your tenant during ingest.
Cadence
Continuous Watch runs daily. Each cycle:
- Refreshes OSV deltas per ecosystem.
- Diffs the CISA KEV catalog.
- Matches every advisory against every active SBOM in your organization.
- Promotes matches to Findings with category
vulnerable_componentandsource = continuous_watch. - Routes alerts per the re-notify policy and the channel configuration.
Severity
WASViking computes a single severity per match in this precedence:
- CVSS v4 if available, otherwise CVSS v3.
- GHSA qualitative severity (
critical/high/moderate/low) if there is no CVSS. - KEV-listed advisories default to at least
higheven without a CVSS score, because exploitation is confirmed. unknownonly if none of the above is available.
Re-notify policy
By design, Continuous Watch is signal-only. A new alert fires only on meaningful state changes for an advisory already in your inventory:
| Trigger | What changed |
|---|---|
| KEV listing | The advisory was just added to the CISA KEV catalog. |
| Severity escalation | Severity reclassified to critical. |
| Fix availability | A fixed version was published upstream. |
Repeated daily runs that find the same advisory in the same state do not re-fire. Suppressed matches stay suppressed; if an escalation matches a suppressed advisory, the audit log captures it with "escalated while suppressed", but no alert is sent.
Where it lives in the portal
Inventory → Supply Chain Intel is the operator view. The page lists matches with filters by ecosystem, severity, status (open, acknowledged, suppressed, fixed), and source SBOM. Each row drills into:
- Advisory details (CVE / GHSA / KEV linkage, references, sanitized description).
- Affected component and version range.
- Source SBOM and target.
- Status timeline with operator transitions.
Findings produced
Every match promotes to a Finding under the standard workflow.
| Field | Value |
|---|---|
| Category | vulnerable_component |
| Source | continuous_watch |
| CWE | Per-advisory, with CWE-1395 as fallback (Dependency on Vulnerable Third-Party Component) |
| Severity | From the precedence above |
| Risk Score | Combined with asset criticality, environment, and SLA |
Findings inherit the standard Findings workflow, including status transitions and webhook events.
Alert channels
Continuous Watch reuses the platform's alert routing. Configure recipients under Settings → Notification Channels. On each channel modal, enable the Supply Chain Advisory event.
| Channel | Notes |
|---|---|
| Branded transactional email with the advisory, affected components, and a deep link to the match. Routed through the canonical email pipeline (audited). | |
| Slack | Block format. One message per advisory, with the matched components inline. |
| Microsoft Teams | Adaptive Card. Same content as Slack. |
| Webhook | {"event": "supply_chain.advisory.matched", "schema_version": 1, "data": {…}}. Signed delivery. |
See Webhook events for the full event catalog.
REST API
Public read access for tenant integrations and SIEM ingestion.
| Method | Path | Scope |
|---|---|---|
GET |
/api/v1/public/supply-chain/advisories/ |
sca:intel:read |
Auth scheme is ApiKey wv_live_*. Encrypted IDs on the wire (standard
across the public API). See Authentication.
Plan availability
Continuous Watch is a Pro plan and above feature. Free and Starter plans see the SBOM inventory but not the daily ingest or the re-notify pipeline. Per-plan limits:
| Plan element | Notes |
|---|---|
continuous_watch |
Enabled on Pro and above. |
alerts_per_day |
Capped per plan. Tracked in Settings → Usage. |
When you are on Starter, the Supply Chain Intel page shows a disabled state inviting you to upgrade.
What it does NOT do
- No outbound traffic to your repositories. Continuous Watch operates over SBOMs already submitted; it does not pull source.
- No automatic remediation. Matches become Findings; remediation is operator-driven.
- No customer data in the alert payload. Alerts carry the advisory and the matched component, plus an opaque match reference.
- Does not replace the CI/CD gate. The
wasviking-sentinel sbomgate runs at build time. Continuous Watch is the after-the-build safety net for advisories published after your last build.
How this fits with the rest of the supply chain story
| Layer | What it answers |
|---|---|
wasviking-sentinel sbom |
"What is in this build, right now?" |
wasviking-sentinel ci --sca |
"Is this build safe to ship?" |
| Supply Chain Intel (this page) | "Did anything change overnight in something I already shipped?" |
| Supply-chain IOC | "Is this specific package + version anywhere in my inventory?" |
| SBOM Evidence Bundle | "Can I prove this to my auditor or my customer?" |
The capability summary lives at Software Supply Chain.