Jit + Upwind Integration Update: Automate Vulnerability Triage from Runtime Back to Code
Published July 8, 2025.
We’re excited to announce a big update to our integration with Upwind, designed to solve one of the biggest headaches in modern AppSec: figuring out which open source vulnerabilities actually pose a real risk in production — and tracing them back to the specific OSS root package that introduced them.
With this integration, Jit and Upwind automate two critical steps of the vulnerability triage process:
Determining whether open source security issues are truly exploitable in runtime.
Identifying exactly where those vulnerabilities originated in your software supply chain and repository and which dev teams own them, so they can be fixed fast.
The Problem: Manual Triage Doesn’t Scale
Upgrading packages to secure versions can be costly for developers who need to investigate whether upgrades cause breaking changes. To focus their time on resolving vulnerabilities that introduce real risk, AppSec teams are forced into a tedious, manual triage process, which could look something like this:
Check for known exploit code: Teams must research whether there is exploit code available in the wild that could make the vulnerability an actual threat.
Verify external exposure: They then confirm if the affected component is internet-facing and reachable by an attacker in a production environment — not hidden in internal-only services.
Confirm runtime usage: Next, they check whether the vulnerable package or function is truly loaded and executed in production, instead of just existing in a manifest or dependency tree.
Trace the source: If the vulnerability is exploitable, they must trace it back through the SDLC to find exactly where the package is defined in order to make the fix — often digging through CI/CD logs and version histories.
Identify ownership and create tickets: Finally, they need to figure out which developer or team owns the affected code, create a ticket with enough context, and follow up to make sure it’s prioritized and resolved before the next release.
When your backlog contains thousands of open source vulnerabilities, repeating this process manually for each finding is simply unfeasible — wasting hours of valuable time that could be spent actually securing your product.
Jit + Upwind: Real Risk, Real Source — Automated
The Jit + Upwind integration solves the challenge of vulnerability prioritization and remediation at the root:
Runtime Correlation with Upwind
Upwind continuously monitors containerized workloads using eBPF-based runtime sensors. It knows exactly which vulnerable packages and images are actually loaded into application code running in production — not just present in a repo or image manifest. This slashes false positives and shows your AppSec team which vulnerabilities are truly exploitable.
Once it's clear that a vulnerability needs to be prioritized, the questions become: Is it a root package or a dependency? Where is it in my codebase? This is where Jit comes in.
Root cause traceability and developer accountability with Jit
Rather than manually looking for the relevant package.json / requirements.txt that holds the list of the root packages and determining the right development team to resolve the issue, Jit tells you this information right away.
Jit provides the dependency graph needed to pinpoint the exact package at fault and a suggestion remediation if it exists — pinpointing the exact source repo, commit, pipeline, and developer owner that introduced the issue. This means every exploitable vulnerability is automatically traced back to the root cause of the vulnerability and people best equipped to fix it.
The result: AppSec teams instantly see what’s real, where it came from, and how to fix it — without the hours of manual detective work.
| SCA detection | Exploitability | Root cause traceability |
|---|---|---|
| Jit ✅ | | Jit ✅ |
| Upwind ✅ | Upwind ✅ | |
Integration Overview
Connecting Jit and Upwind is simple. Just generate API credentials in your Upwind account, plug them into Jit, and the integration starts syncing runtime signals immediately. Within minutes, runtime container findings appear in Jit, fully enriched with ownership, exposure, and code context.
Automate the full vulnerability mitigation lifecycle
By combining Jit’s code-to-cloud correlation with Upwind’s runtime intelligence, security teams gain:
Clarity on what’s actually exploitable: no more chasing dead-end alerts.
Full traceability to the root cause of the issue: a clear trail back to the specific package and team that introduced the risk.
Faster, context-rich remediation: right where developers work.
Stop wasting hours sorting through noise. With Jit + Upwind, your team can focus on what really matters: reducing real risk, faster.
Ready to see it in action? Connect Jit and Upwind today and bring runtime security clarity into your SDLC.
