From CVE to fix-ready plan, in context
When a CVE issue is labeled or invoked, Overcut identifies the affected repositories, clones them, and runs a security-focused session that parses the CVE, traces how the vulnerable package is actually used, assesses real risk, weighs remediation options, and posts a detailed plan — followed by a /pr command to kick off the fix.

The edge cases, covered
Security decisions you can defend — context-aware risk, every option weighed with trade-offs, and a human review gate before any code is implemented.
Context-aware risk
Instead of trusting the raw CVSS score, it traces whether vulnerable code is actually reachable in your usage and re-rates the real risk accordingly.
Every option weighed
Dependency updates, alternative packages, code changes, mitigations, and workarounds are each evaluated with pros, cons, breaking changes, and rollback paths.
Human review gate
The plan is posted for your team to review before the /pr command triggers implementation, so critical fixes never auto-merge without sign-off.
Full dependency tree
It scans direct and transitive dependencies, lock files, and multiple instances across monorepos, covering runtime, dev, and build-time packages alike.
Audit-ready documentation
Each remediation captures the decision, alternatives considered, and rationale — a defensible record for compliance and security audit trails.
Fits your scanners and trackers
Drop in output from your existing security tooling and Overcut takes it from there, working across the repositories and issue tracker your team already relies on.
Running from day one
Triggers automatically when an issue is labeled needs-cve-remediation — typically set by triage — or on demand with the /remediate-cve command on any issue carrying CVE details. Paste a scanner report and it does the rest.


