Reported by a Discord engineer testing CVE Lite CLI against a large enterprise monorepo. The tool is within acceptable range but slower than ideal for pre-commit hook usage — their bar is set by an internal Dependabot replacement they built because other tools were too slow.
Investigation areas
- Profile scan time on large lockfiles (1000+ packages)
- OSV batch query efficiency — are we making more network calls than necessary?
- Parser performance on large pnpm/npm monorepo lockfiles
- Caching hit rate — are repeat scans benefiting from cache?
- Advisory DB offline mode — does
--offline close the gap significantly for large repos?
Context
Discord uses Semgrep for most security scanning but CVE Lite CLI is net-new coverage for dependency vulnerability scanning in AI agent hooks and pre-commit workflows where Semgrep is too slow for their monorepo size.
Reported by a Discord engineer testing CVE Lite CLI against a large enterprise monorepo. The tool is within acceptable range but slower than ideal for pre-commit hook usage — their bar is set by an internal Dependabot replacement they built because other tools were too slow.
Investigation areas
--offlineclose the gap significantly for large repos?Context
Discord uses Semgrep for most security scanning but CVE Lite CLI is net-new coverage for dependency vulnerability scanning in AI agent hooks and pre-commit workflows where Semgrep is too slow for their monorepo size.