Bugz | Devpost

Homepage of Bugz
Results of a github link

Inspiration

Security teams waste hours manually checking dependencies against CVE databases. Every GitHub push, every npm install — another potential vulnerability. I built Bugz to automate this: developers paste a GitHub URL or upload their manifest files, and get instant security insights. No more manual hunting. No more vulnerabilities slipping through.

What it does

Bugz scans GitHub repositories and uploaded dependency files (package.json, requirements.txt, go.mod, Cargo.toml) and instantly identifies security vulnerabilities using the free OSV.dev and GitHub Security Advisories APIs.

Key features:

GitHub URL input or file upload (drag-and-drop)
Supports Node.js, Python, Go, and Rust projects
Severity ranking (Critical → Low) with actionable fix suggestions
Export results as JSON/CSV
Real-time scanning (most repos in <10 seconds)

Users get: CVE IDs, package names, installed versions, recommended fixes, and direct links to vulnerability details.

How we built it

Frontend: React + Next.js 13 (TypeScript) Styling: Tailwind CSS Backend: Next.js API routes (serverless functions) Vulnerability data: OSV.dev API + GitHub Security Advisories (both free, no auth) Dependency parsing: Custom TypeScript parsers for package.json, requirements.txt, go.mod, Cargo.toml

Architecture:

User uploads file or pastes GitHub URL
Backend fetches repo files or parses upload
Extracts all dependencies (name + version)
Queries OSV.dev API for each dependency
Deduplicates CVEs, sorts by severity
Frontend renders interactive dashboard

Deployment: Vercel (zero-config for Next.js)

Challenges we ran into

OSV API rate limiting — querying 100+ dependencies meant hitting limits. Solution: Batch requests with backoff, cache results for 1 hour.
Dependency file parsing — package.json nesting vs requirements.txt format were totally different. Solution: Built separate parsers for each format.
GitHub raw content fetching — repos without a package.json would 404. Solution: Gracefully handle missing files, report which ones were found.
UI responsiveness during scanning — long waits on large repos felt broken. Solution: Real-time progress indicator + execution time display.
CVE deduplication — same vulnerability across multiple packages. Solution: Group by CVE ID, aggregate affected packages.

Accomplishments that we're proud of

-Multi-language support on day 1 (Node, Python, Go, Rust) -Zero authentication required — uses only free, public APIs -Sub-10-second scanning for typical repos (~50 dependencies) -Clean, UI -Handled edge cases: missing files, invalid repos, API failures -Export functionality (JSON/CSV) for integration with CI/CD pipelines -Zero external dependencies beyond React and Tailwind

Business impact: A dev team of 10 scanning daily would save ~80 hours/year in manual security audits. If caught even one critical 0-day per year, ROI is infinite.

What we learned

OSV.dev is criminally underrated — it's a goldmine for free vuln data
Dependency parsing is harder than expected (version pinning, ranges, etc.)
Users hate spinning loaders — progress indicators convert anxiety to trust
File upload + GitHub URL dual input increases adoption (users prefer drag-drop)
Export formats matter — teams want JSON for pipelines, CSV for spreadsheets
Security tools live or die on trust — one false positive = loses credibility

If I were rebuilding: Start with Node.js only, expand languages later. Real-time progress is non-negotiable for scanning UX.

What's next for Bugz

-Upgrading UI with more time on our hands

GitHub webhook integration (auto-scan on push)
Slack notifications for new critical vulns
CI/CD pipeline integration (GitHub Actions, GitLab CI)
Team dashboard (aggregate vuln trends across all repos)
Fix suggestions (auto-generate PRs for patch updates)
License compliance scanning (GPL, MIT conflicts)
Supply chain risk scoring (how many transitive deps are outdated?)
Integrations: Jira (auto-create tickets), PagerDuty (alert on critical)

Business potential:

40M+ developers on GitHub = massive TAM
Every company with DevSecOps budget needs this
Potential acquisition by GitHub, GitLab, or Snyk
Freemium model: free for public repos, paid for private orgs

Built With

github-api
next
node.js
osv.dev
react
tailwind
typescript

Submitted to

Created by

I built Bugz from scratch in 24 hours — a full-stack vulnerability scanner for development teams.
What I did:

Full architecture design (frontend, backend, API integration)
All React/TypeScript components (ScanForm, ResultsDashboard, LoadingSpinner)
Backend logic: GitHub API integration, dependency file parsing (Node.js, Python, Go, Rust), OSV.dev API queries
UI/UX design and Tailwind styling
Error handling and edge cases
Deployment setup (Vercel)

Key decisions:

Used free, public APIs (OSV.dev, GitHub) to eliminate auth complexity and cost
Built custom dependency parsers instead of external libraries to keep dependencies minimal
Designed for real-world adoptability (export to CSV/JSON, integrates with CI/CD)

Demo & submission materials:

2-3 minute live demo
GitHub repository with clean, documented code
Business impact pitch (80 hours/year saved per dev team)

Venkatapranav Katta

Updates

Venkatapranav Katta started this project — May 12, 2026 09:53 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.