Every capability dpndncY ships, in one list. The Dependency Firewall is the lead. The same multi-signal stack — CISA KEV, EPSS, ExploitDB, reachability, attack-path, license obligations — powers pre-install enforcement, SCA, SAST, container, IaC, and secrets scanning. Runtime decisions are emitted as DSSE-signed in-toto attestations; firewall and scan attestations are on the roadmap.
Dependency Firewall + intelligence
Pre-install enforcement and the signal stack that powers it.
Dependency Firewall — pre-install enforcement
Block risky packages before node_modules / site-packages / local Maven repo. CISA KEV, EPSS, ExploitDB, JS/TS reachability, attack-path, license obligations, and version-pinning rules. Three modes: Enforce / Soak / Review. Bypass routed through an approval workflow with audit trail.
Dependency intelligence
Direct + transitive dependency resolution across 30+ ecosystems with lockfile parsing and registry metadata normalisation.
Vulnerability fusion
OSV + NVD + GHSA correlation. CVSS, EPSS, CISA KEV enrichment. Filter by match type to isolate advisory classes.
Exploitability analysis
External exploit signals (EPSS / KEV / ExploitDB) plus code-level context to prioritise actual risk over CVE count.
License compliance + obligations
Detect, normalise, and surface license obligations: attribution, source disclosure, copyleft scope, patent grant, NOTICE files. Generates the manifest your legal team needs.
Policy gates
Thresholds for severity counts, CVSS ceilings, unresolved licenses, exploitability conditions. Explicit PASS/FAIL verdicts for CI/CD.
SBOM & reporting
Export CycloneDX 1.5 SBOM, SPDX, SARIF 2.1.0, CSV, and PDF with correlated findings and remediation context.
Container image scanning
OCI tarball parser walks every layer. 9 in-image ecosystems (Debian, Alpine, RPM, npm, PyPI, Go, Ruby, PHP, .NET). Per-layer SBOM.
Signature / binary composition analysis
Identify open-source components inside compiled binaries, archives, and renamed or vendored source with no manifest. Content fingerprinting (file SHA-256, structural codeprints, fuzzy snippet shingles) matched against a component corpus — then correlated with the same vuln + license stack.
Infrastructure-as-Code (IaC) scanning
Terraform, CloudFormation (JSON + YAML), Kubernetes manifests. Detects privilege-escalation, path traversal, insecure capabilities, CIS misconfigurations.
Secrets detection
High-precision secret scanner covering AWS, GCP, Azure, GitHub, OpenAI, Anthropic, private keys, JWTs, DB connection strings. Entropy-checked. Inline suppression.
eBPF Runtime Agent — signed trace per CI/CD job
Four CO-RE BPF programs hook connect, exec, security_file_open, and getaddrinfo on your CI runners. Auto-detects 9 CI platforms. cgroup-BPF connect4/connect6 actively denies non-allowlisted egress in enforce mode. DSSE-signed SLSA in-toto v1 Statement at job end. 21 MB static binary, amd64 + arm64.
Beyond dependencies — secure your code
Proprietary SAST, attack-path visualisation, AI risk attribution, and automated remediation. All in the same scan workflow.
Proprietary SAST engine
Interprocedural taint / data-flow analysis across 24 languages — JS/TS, Python, Java, Kotlin, Scala, Groovy, C#, VB.NET, Go, PHP, Ruby, Swift, Objective-C, Dart, Apex, C, C++, CUDA, Fortran, JSP, Erlang, Elixir. Tracks user input from sources through sanitisers to sinks with a per-finding data-flow trace — not just regex. Framework-aware: Spring, JAX-RS, Struts, Hibernate, ASP.NET, Angular, React, Vue, jQuery, Rails, Django, Flask, Gin, Phoenix, and more.
Attack Path Graph
Reachable vulnerabilities mapped through your dependency tree to potential exploit entry points. Paths scored by reachability, sink, CWE, AI-code amplification.
AI risk attribution
LOC-weighted attribution of AI-assisted code using git-signal + style heuristics. Co-locates AI density with security findings.
Decision engine
Every vuln gets Patch Now (48h), Patch This Sprint (336h), Monitor (720h), or Accept Risk — from EPSS, KEV, reachability, ExploitDB. SLA timelines + rationale per finding.
Auto-fix PRs
Auto-open PRs on GitHub, GitLab, self-hosted with version bumps + lockfile regen. Breaking-change analysis, manifest patching across 9 ecosystems.
Native notifications
Auto-detected by hostname: Slack (Block Kit), Teams (Adaptive Card), Discord (embed), generic webhook. Severity-coded alerts + SMTP email.
Ticketing integrations
Native Jira + Linear API clients. Auto-create tickets from findings or firewall events. Round-trip status updates back to dpndncY.
Trend snapshots & risk-over-time
Per-scan snapshots with full risk-vector. Risk-over-time per project, ecosystem, severity, finding type — so review meetings start with "what changed".
Dependency health scoring
Per-package health: maintainer count, release cadence, install scripts, license clarity, vuln history. Surfaces low-health packages independent of CVE status.
VS Code extension
Scan workspace, view SBOM + vuln results, check package risk inline. PAT auth against your self-hosted server.
Compliance policy presets
17 built-in policy templates tuned for regulated industries — FedRAMP, HIPAA, PCI-DSS, ISO 26262 (automotive), NERC CIP (energy), DoD STIG, telecom, IoT, gaming, healthcare. Auto-apply per project.
Block risky packages before they’re installed.
Sign every decision.
Self-hosted, multi-tenant, with the same multi-signal exploitability stack across firewall, SCA, SAST, container, and IaC scanning.