dpndncY
Capabilities
Block risky packages
before install then prove the decision.

Every capability dpndncY ships, in one list. The Dependency Firewall is the lead. The same multi-signal stack — CISA KEV, EPSS, ExploitDB, reachability, attack-path, license obligations — powers pre-install enforcement, SCA, SAST, container, IaC, and secrets scanning. Runtime decisions are emitted as DSSE-signed in-toto attestations; firewall and scan attestations are on the roadmap.

Core

Dependency Firewall + intelligence

Pre-install enforcement and the signal stack that powers it.

Dependency Firewall — pre-install enforcement

Block risky packages before node_modules / site-packages / local Maven repo. CISA KEV, EPSS, ExploitDB, JS/TS reachability, attack-path, license obligations, and version-pinning rules. Three modes: Enforce / Soak / Review. Bypass routed through an approval workflow with audit trail.

Pre-install · Approval-gated bypass · 7 package managers

Dependency intelligence

Direct + transitive dependency resolution across 30+ ecosystems with lockfile parsing and registry metadata normalisation.

30+ ecosystems

Vulnerability fusion

OSV + NVD + GHSA correlation. CVSS, EPSS, CISA KEV enrichment. Filter by match type to isolate advisory classes.

OSV · NVD · GHSA · KEV

Exploitability analysis

External exploit signals (EPSS / KEV / ExploitDB) plus code-level context to prioritise actual risk over CVE count.

Multi-signal prioritisation

License compliance + obligations

Detect, normalise, and surface license obligations: attribution, source disclosure, copyleft scope, patent grant, NOTICE files. Generates the manifest your legal team needs.

SPDX · Obligations · Copyleft

Policy gates

Thresholds for severity counts, CVSS ceilings, unresolved licenses, exploitability conditions. Explicit PASS/FAIL verdicts for CI/CD.

PASS / FAIL

SBOM & reporting

Export CycloneDX 1.5 SBOM, SPDX, SARIF 2.1.0, CSV, and PDF with correlated findings and remediation context.

CycloneDX · SPDX · SARIF

Container image scanning

OCI tarball parser walks every layer. 9 in-image ecosystems (Debian, Alpine, RPM, npm, PyPI, Go, Ruby, PHP, .NET). Per-layer SBOM.

OCI · 9 layer ecosystems

Signature / binary composition analysis

Identify open-source components inside compiled binaries, archives, and renamed or vendored source with no manifest. Content fingerprinting (file SHA-256, structural codeprints, fuzzy snippet shingles) matched against a component corpus — then correlated with the same vuln + license stack.

sha256 · codeprint · fuzzy snippet

Infrastructure-as-Code (IaC) scanning

Terraform, CloudFormation (JSON + YAML), Kubernetes manifests. Detects privilege-escalation, path traversal, insecure capabilities, CIS misconfigurations.

Terraform · CFN · K8s

Secrets detection

High-precision secret scanner covering AWS, GCP, Azure, GitHub, OpenAI, Anthropic, private keys, JWTs, DB connection strings. Entropy-checked. Inline suppression.

High-precision + entropy

eBPF Runtime Agent — signed trace per CI/CD job

Four CO-RE BPF programs hook connect, exec, security_file_open, and getaddrinfo on your CI runners. Auto-detects 9 CI platforms. cgroup-BPF connect4/connect6 actively denies non-allowlisted egress in enforce mode. DSSE-signed SLSA in-toto v1 Statement at job end. 21 MB static binary, amd64 + arm64.

eBPF · DSSE · SLSA in-toto v1 · cgroup-BPF enforce
Code security

Beyond dependencies — secure your code

Proprietary SAST, attack-path visualisation, AI risk attribution, and automated remediation. All in the same scan workflow.

Proprietary SAST engine

Interprocedural taint / data-flow analysis across 24 languages — JS/TS, Python, Java, Kotlin, Scala, Groovy, C#, VB.NET, Go, PHP, Ruby, Swift, Objective-C, Dart, Apex, C, C++, CUDA, Fortran, JSP, Erlang, Elixir. Tracks user input from sources through sanitisers to sinks with a per-finding data-flow trace — not just regex. Framework-aware: Spring, JAX-RS, Struts, Hibernate, ASP.NET, Angular, React, Vue, jQuery, Rails, Django, Flask, Gin, Phoenix, and more.

24 languages · taint data-flow · 1,500+ rules

Attack Path Graph

Reachable vulnerabilities mapped through your dependency tree to potential exploit entry points. Paths scored by reachability, sink, CWE, AI-code amplification.

Force-directed graph · Path scoring

AI risk attribution

LOC-weighted attribution of AI-assisted code using git-signal + style heuristics. Co-locates AI density with security findings.

Git signal · Style analysis

Decision engine

Every vuln gets Patch Now (48h), Patch This Sprint (336h), Monitor (720h), or Accept Risk — from EPSS, KEV, reachability, ExploitDB. SLA timelines + rationale per finding.

48h / 336h / 720h SLAs

Auto-fix PRs

Auto-open PRs on GitHub, GitLab, self-hosted with version bumps + lockfile regen. Breaking-change analysis, manifest patching across 9 ecosystems.

GitHub · GitLab · Self-hosted

Native notifications

Auto-detected by hostname: Slack (Block Kit), Teams (Adaptive Card), Discord (embed), generic webhook. Severity-coded alerts + SMTP email.

Slack · Teams · Discord · Webhook · Email

Ticketing integrations

Native Jira + Linear API clients. Auto-create tickets from findings or firewall events. Round-trip status updates back to dpndncY.

Jira · Linear

Trend snapshots & risk-over-time

Per-scan snapshots with full risk-vector. Risk-over-time per project, ecosystem, severity, finding type — so review meetings start with "what changed".

Per-scan snapshots

Dependency health scoring

Per-package health: maintainer count, release cadence, install scripts, license clarity, vuln history. Surfaces low-health packages independent of CVE status.

Trust score · Maintainer signals

VS Code extension

Scan workspace, view SBOM + vuln results, check package risk inline. PAT auth against your self-hosted server.

Workspace scan · PAT auth · Inline

Compliance policy presets

17 built-in policy templates tuned for regulated industries — FedRAMP, HIPAA, PCI-DSS, ISO 26262 (automotive), NERC CIP (energy), DoD STIG, telecom, IoT, gaming, healthcare. Auto-apply per project.

FedRAMP · HIPAA · PCI-DSS · ISO 26262 · NERC CIP · DoD · +11 presets

Block risky packages before they’re installed.
Sign every decision.

Self-hosted, multi-tenant, with the same multi-signal exploitability stack across firewall, SCA, SAST, container, and IaC scanning.