Direct and transitive dependency resolution across 30+ ecosystems, correlated against OSV, NVD and GHSA, then ranked by real exploitability — not raw CVE count.
What it does
30+ ecosystem resolution
Direct + transitive resolution across npm, PyPI, Maven, NuGet, Cargo, Go, RubyGems, Composer, Pub, CRAN, Conda, CPAN, OPAM, CocoaPods, SwiftPM, PEAR and Bazel — from lockfiles and registry metadata.
Vulnerability fusion
OSV + NVD + GHSA correlation with both CVE and GHSA identifiers on every finding, enriched with CVSS, EPSS and CISA KEV.
Exploitability-based ranking
CISA KEV, EPSS, ExploitDB and an exploit-window forecast fused with reachability so the top of the list is what can actually be exploited — not the highest CVSS.
Proprietary advisory layer
dpndncY Security Advisories (DSA) supplement the public feeds — matched into every scan on your own infrastructure, catching issues not yet published to public OSV.
License compliance
SPDX detection and copyleft classification (permissive / weak / strong) with obligation surfacing — attribution, source disclosure, NOTICE files, patent grant.
Reachability + attack path
For JS/TS, AST call-graph reachability maps each vulnerability from dependency to import to sink to HTTP entry point.
A proprietary interprocedural taint engine across 24 languages, tracking user input from source through sanitiser to sink with a per-finding data-flow trace. Confidence-tiered, so the noise doesn't bury the real bugs.
Multi-signal decisioning at admission time. Risky packages are rejected before they enter node_modules, site-packages or your local Maven repo — with a signed record of exactly why.
An OCI tarball parser walks every layer, builds a per-layer SBOM and correlates vulnerabilities across nine in-image ecosystems — with base-image upgrade guidance.