Each capability below is a real, shipping product inside dpndncY — not a separate tool to license, install or monitor. They share the same exploitability signal stack and the same signing root.
Find the risk that actually matters.
Software Composition Analysis
Direct and transitive dependency resolution across 30+ ecosystems, correlated against OSV, NVD and GHSA, then ranked by real exploitability — not raw CVE count.
Static Application Security Testing
A proprietary interprocedural taint engine across 24 languages, tracking user input from source through sanitiser to sink with a per-finding data-flow trace. Confidence-tiered, so the noise doesn't bury the real bugs.
Secrets Detection
High-precision secret scanning across your codebase and config with entropy heuristics and inline suppression — tuned to surface real, exploitable secrets, not every high-entropy string.
Infrastructure-as-Code Security
Terraform, CloudFormation and Kubernetes manifests scanned for privilege escalation, insecure capabilities and CIS misconfigurations — in the same pass as your code and dependencies.
Container Image Scanning
An OCI tarball parser walks every layer, builds a per-layer SBOM and correlates vulnerabilities across nine in-image ecosystems — with base-image upgrade guidance.
CI/CD Pipeline Security
Static analysis of your pipeline definitions across six CI platforms — mapped to the OWASP Top 10 CI/CD risks, with concrete remediation on every finding.
Stop it at install time and at runtime.
Dependency Firewall
Multi-signal decisioning at admission time. Risky packages are rejected before they enter node_modules, site-packages or your local Maven repo — with a signed record of exactly why.
eBPF Runtime Agent
Four CO-RE eBPF programs hook connect, exec, file-open and DNS on your CI runners, correlate every event to the workflow step that caused it, and — in enforce mode — actively deny non-allowlisted egress.
Prove every decision, offline.
Signed Attestations
Firewall verdicts, scan results and runtime traces wrapped in DSSE over SLSA-style in-toto Statements, signed with your keypair. A standalone verifier ships with the platform — no vendor portal required.
Security Posture (ASPM)
SCA, SAST, IaC, secrets, containers and runtime findings unified into one prioritised view, with per-scan trend snapshots and portfolio risk over time — no data leaving your instance.