A self-managed application-security platform. SCA, SAST, IaC, secrets, container scanning, attack paths, dependency firewall, and runtime monitoring on a single cryptographic signing root. Runs on your infrastructure. Air-gapped operation supported.
Every decision is a file you can verify offline.
A standalone dpndncy-verify binary ships with the platform. Hand the attestation to your auditor, your customer, your insurer — they verify the signature with your public key. No portal login. No vendor dependency. No remote infrastructure to outlive you.
$ dpndncy-verify trace.intoto.jsonl \ --public-key /etc/dpndncy/agent-pub.pem Signature: OK Key: sha256:HmCC8oTtuG… Type: https://dpndncy.io/agent/runtime-trace/v1 Subject: github-actions/acme/widget/1234567 sha256: a1b2c3d4e5f6… Builder: urn:dpndncy:agent 0.1.0 Window: 2026-05-26T10:00:00Z → 2026-05-26T10:14:32Z Mode: observe Events: connect=412 exec=58 file=4 dns=23 Decisions: allow=489 warn=8 review=0 block=0 Trace log: sha256=a1b2c3… size=384921 (ndjson) Top egress: registry.npmjs.org:443/tcp x37 api.github.com:443/tcp x12 objects.githubusercontent.com:443/tcp x6
Three layers sit on one signing root.
Every dpndncY capability shares the same exploitability-signal stack and the same DSSE-signing trust root. What changes between layers is where the decision lives.
Find the risk that matters.
Multi-ecosystem SCA across 17 ecosystems, native SAST across 13+ languages, IaC, container, secrets, attack paths. Findings ranked by KEV + EPSS + ExploitDB + reachability — not raw CVE count.
Read moreStop risk at install and at runtime.
The Dependency Firewall refuses risky packages before they enter your tree. The eBPF Runtime Agent attaches to four kernel hooks on your CI runners; in enforce mode, cgroup-BPF denies non-allowlisted egress.
Read morePortable, offline-verifiable evidence.
Every decision ships as a DSSE envelope over a SLSA in-toto Statement, signed with your keypair. A standalone dpndncy-verify binary checks it offline — no portal, no vendor dependency.
Read moreThreats come from everywhere. Your firewall lives here.
Every pink dot is a real, documented supply-chain incident — event-stream, ua-parser-js, ctx, colors / faker, XZ Utils, tj-actions/changed-files, dozens more. The cyan arcs are the threat signals (KEV, EPSS, ExploitDB, OSV, GHSA) flowing into your self-managed dpndncY install — where the decision actually gets made.
Auditable findings. Verifiable offline.
When a scanner labels a vulnerability severity High, that’s a claim. The signals behind the claim — the EPSS score and its source URL, the CISA KEV catalogue version, the ExploitDB entry IDs, the reachability proof identifying the call site, the CVSS vector, the policy version applied — that’s the evidence. dpndncY attaches the full evidence chain to every decision.
Most tools keep the evidence behind a login. We attach it to every decision as a signed payload that lives on your disk and verifies on a laptop with nothing more than the public key.
“Security decisions should be portable. If your customer or your regulator needs proof of a decision you made three years ago, they shouldn’t have to log into your vendor’s portal to get it.
The eBPF Runtime Agent emits a DSSE-signed in-toto Statement summarising every CI job: outbound destinations, exec activity, sensitive file reads, DNS lookups — with the SHA-256 of the full event log bound into the signature. The Dependency Firewall and the scan engine produce structured decision evidence today; DSSE-signed firewall and scan attestations are on the roadmap.
The platform runs entirely on your infrastructure. No telemetry. No remote management. Air-gapped operation is supported by default — not a higher tier.
Run dpndncY on your infrastructure.
Read its decisions. Verify them offline.
Self-hosted, fully air-gappable, no telemetry. Every decision the platform makes is signed and verifiable with a public key. Early-access design partners get the full platform, direct engineering support, and input into the commercial model.