Zorv - Self-hosted autonomous AI that fixes CVEs
Zorv is a self-hosted autonomous AI tool that automatically fixes CVEs in your CI/CD pipeline. It scans for vulnerable dependencies, upgrades them, and when tests break due to API changes, it intelligently rewrites code to pass tests, then opens a merge-ready PR. It runs in an isolated sandbox and supports 11+ LLM providers.
by OpenYF AI
ZORV
_
Get Lifetime Access
Run it locally or inside your CI/CD. 100% self-hosted. Zero subscription fees.
THE CORE PROBLEM
Why bots fall short
Traditional Dependency Bots Break Your Builds. You Clean Up the Mess.
Standard tools like Dependabot and Renovate are great at finding outdated packages, but they only do half the job. When they bump a major package version:
- Breaks Tests
The package API changes, throwing errors and breaking your suite.
- Blocks Backlog
The PR sits gathering dust, requiring developers to fix manually.
- Triggers Alerts
Security teams continuously flag unresolved CVE security alerts.
Zorv fixes this by acting as an autonomous developer in your CI pipeline. When a package bump breaks your tests, Zorv analyzes the test failure, rewrites the obsolete API usage, verifies the tests pass, and opens a clean, merge-ready Pull Request.
QUICKSTART
See it in action
zorv-cli
$
$ docker run --rm -v $(pwd):/workspace -e ZORV_LICENSE="your_license_key" yusgev2/zorv:latest scan --dir /workspace
›
AUTONOMOUS PATCHING LIFECYCLE
The loop that secures your codebase
1
Audit & Scan
Zorv scans your repository using npm audit to extract patchable CVEs and target package versions.
2
Surgical Version Bump
It creates a new isolated Git branch and surgically upgrades the package in package.json.
3
Sandboxed Execution & Isolation
Zorv installs dependencies and runs your test suite inside an isolated Bubblewrap Linux sandbox. This blocks network access for tests, prevents directory traversal, and ensures untrusted code cannot touch your host OS.
4
AI Auto-Fix Loop
If tests fail, Zorv feeds the test logs and errors into your configured LLM (Azure OpenAI, Anthropic, Gemini, etc.) to rewrite the obsolete or broken API usage. It automatically repeats this loop until tests pass.
5
Commit & Open Pull Request
Once the tests are 100% green, Zorv stages only the modified source files, commits them, and opens a clean, merge-ready Pull Request with a clear explanation and diff summary.
SECURITY FIRST
Why Zorv is different
100% Self-Hosted CLI & Docker
Zorv runs entirely on your infrastructure. Your proprietary source code never leaves your network, keeping you fully compliant with SOC2, GDPR, and HIPAA.
Bubblewrap Isolation
The LLM-generated code runs in a hardened sandbox. Zorv blocks internet access for the tests, prevents directory traversal attacks, and isolates the host system.
11+ LLM Providers Supported
Plug in your own API keys. Zorv natively supports Azure OpenAI, OpenAI, Anthropic, Gemini, Grok, Groq, Cohere, TogetherAI, OpenRouter, and local models.
SOC2 Auditable Logs
Zorv generates append-only, ISO 8601-compliant JSONL logs documenting every single file read, write, and command execution for clear compliance verification.
CI/CD INTEGRATION
Drop into GitHub Actions in 60 Seconds
.github/workflows/zorv.yml
name: Zorv Autonomous Patching
on: schedule:
- cron: '0 8 * * 1' # Runs every Monday at 8 AM
workflow_dispatch:
jobs: patch: runs-on: ubuntu-latest steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Run Zorv Patcher
run: | docker run --rm \ --security-opt seccomp=unconfined \ -v ${{ github.workspace }}:/workspace \ -e ZORV_LICENSE=${{ secrets.ZORV_LICENSE }} \ -e LLM_PROVIDER=openai \ -e OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }} \ -e GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \ -e GITHUB_REPOSITORY=${{ github.repository }} \ yusgev2/zorv:latest scan --dir /workspace
FAQ
Frequently Asked Questions
PROVIDERS
Works with
Mistral
Mistral