Integrated engines working together so your team gets complete, actionable results from every scan mode.
🔍
Dependency intelligence
Dependency tree resolution with transitive visibility, lockfile parsing, and package metadata normalization across supported ecosystems.
Registry + lockfile correlation
🛡
Vulnerability fusion
Correlates OSV, NVD, and GHSA advisories, then enriches findings with CVSS details, EPSS probability, and CISA KEV status. Filter by match type (range or exact version) to isolate advisory classes for review.
CVE · GHSA · OSV · KEV
⚡
Exploitability analysis
Combines external exploit signals (EPSS / KEV) with available code-level context and package usage evidence to prioritize real risk first.
External + code context signals
⚖
License compliance
Detects and normalizes license metadata, flags unknown or unresolved entries, and provides package-level evidence for legal review.
Blocklist · allowlist · SPDX
🚧
Policy gates
Define thresholds for severity counts, CVSS ceilings, unresolved licenses, and exploitability conditions. Get explicit PASS / FAIL verdicts.
PASS / FAIL enforcement
📦
SBOM & reporting
Export CycloneDX SBOM, SARIF, CSV, UBOM, and PDF outputs with correlated findings and remediation context for audit and pipeline workflows.
CycloneDX · SARIF · PDF
📦
Container image scanning
Scan container images for dependency and vulnerability risk. Upload a Docker-save tarball or use an image reference to pull from a registry; get SBOM and vuln correlation for image layers.
Tarball · registry · OCI
📊
Upgrade risk assessment
Assess the net security risk of any version upgrade before patching. Compare vulnerability exposure on both the current and target version, surface compatibility changes, and get a clear upgrade recommendation — directly inside the vulnerability detail panel.
Net risk delta · inline in Findings
Ready to secure your supply chain?
Get full dependency visibility, vulnerability intelligence, and policy enforcement for your organization.
