Approaches presented herein enable a security risk manager embedded in an application to manage security vulnerabilities of the application. More specifically, the application comprises code entities such as components, packages, libraries, or microservices. The entities are modified as part of the application development process to have an enabled state, in which these entities are permitted to run normally when called, and a disabled state, in which these entities do not run when called but instead perform a back-out behavior such as generating an error message. At runtime, the application periodically accesses a security vulnerabilities database to check for security alerts. When a relevant security alert is found, the application changes any code entities that are affected by the security alert to the disabled state pending investigation by an operations team. The application notifies the operations team by sending a notification of the security alert to an external security monitoring tool.