Application Security Platform · SCA · SAST · Attack Paths · Containers

The application security platform that connects dependencies, code, containers, and attack paths.

Multi-ecosystem SCA across 17 ecosystems. Native SAST with 400+ rules across 13+ languages, plus IaC and Kubernetes. Secrets detection, container image scanning, attack-path graph, JS/TS reachability, and exploitability intelligence (CISA KEV, EPSS, ExploitDB, exploit-window forecasting). Auto-fix PRs for GitHub and GitLab. AI risk profiling, license compliance, and a Dependency Firewall that blocks risky packages at install time — every decision sealed with a signed JWS attestation. Self-hosted. No vendor lock-in.

Launch dpndncY → Explore the platform

17 ecosystems

npm, PyPI, Maven, NuGet, Cargo, Go +12 more

400+ SAST rules

13+ languages incl. IaC and Kubernetes

KEV · EPSS · ExploitDB

Multi-signal exploitability fusion

Attack Paths

Reachability + risk amplification

Self-hosted

On-prem or air-gapped, no vendor lock-in

Platform Capabilities

Every layer of application security in one platform

SCA, SAST, IaC, secrets, container, attack paths, exploitability fusion, and the Dependency Firewall — with policy gates, auto-fix PRs, and signed evidence.

📦

Multi-Ecosystem SCA

Resolve direct and transitive dependencies across 17 ecosystems — npm, PyPI, Maven, NuGet, Cargo, Go, RubyGems, Composer, Pub, CRAN, Conda, CPAN, OPAM, CocoaPods, SwiftPM, PEAR, and Bazel — correlated against OSV, NVD, and GHSA.

17 ecosystems OSV NVD GHSA

🎯

Exploitability Intelligence

Fuse CISA KEV, EPSS, ExploitDB, CVSS, and exploit-window forecasting (EWF) to prioritize what's actually weaponized — not just what's listed. Stop chasing CVE counts; chase real risk.

CISA KEV EPSS ExploitDB EWF

🛡

Dependency Firewall

Block risky packages before they're installed across npm, PyPI, Maven, NuGet, RubyGems, Cargo, and Go. Every allow / block / bypass carries a signed JWS attestation, verifiable offline with the public key.

Pre-install Registry proxy Signed attestation

🔍

SAST + IaC + Kubernetes

Native code analysis with 400+ rules across 13+ languages, plus IaC for Terraform and CloudFormation (JSON and YAML), and Kubernetes manifest scanning. Taint tracking and AI-context profiling included.

400+ rules 13+ languages Terraform Kubernetes

🕸

Attack Paths + Reachability

Connect vulnerable dependencies to imports, sinks, and HTTP routes in a scored graph. JS/TS reachability shows whether vulnerable code is actually executed in your call graph — not just declared.

Graph analysis Reachability Risk amplification

🐳

Container Image Scanning

Scan Docker-save tarballs or pull from any OCI registry. Per-layer SBOM, vulnerability correlation across 9 ecosystems inside the image, and base-image upgrade guidance.

OCI Layer SBOM 9 ecosystems Tarball or registry

🔑

Secrets Detection

700+ rules covering AWS, GCP, Azure, GitHub, Stripe, OAuth tokens, JWTs, and private keys. Findings linked to file and line, with entropy validation to suppress false positives.

700+ rules Cloud providers Entropy validation

🔧

Auto-Fix PRs + Policy Gates

Automatic remediation pull requests for GitHub, GitLab, and self-hosted instances — manifest patching, lockfile updates, lockfile regeneration. Policy-as-code with PASS/FAIL exit codes for CI/CD.

GitHub GitLab Lockfile patch CI native

CLI Tool

Scan from your terminal — or CI pipeline

A single standalone binary for Windows, Linux, and macOS. No runtime required. One command to scan, one exit code to gate your build.

dpndncY CLI — Windows Terminal

  _|_|    _|_|_|    _|    _|    _|_|    _|    _|
_|    _|  _|    _|  _|_|  _|  _|    _|  _|_|  _|
_|    _|  _|_|_|    _|  _|_|  _|    _|  _|  _|_|
_|    _|  _|        _|    _|  _|    _|  _|    _|
  _|_|    _|        _|    _|    _|_|    _|    _|

  dpndncY Scan Engine — v2.9.0
  ----------------------------------------

09:45:01 INFO [dpndncy] --- scan.target  = /projects/my-app
09:45:01 INFO [dpndncy] --- scan.mode    = SCA, SAST
09:45:03 INFO [scan]    --- [1/6] Manifest Discovery
09:45:05 INFO [scan]    --- [2/6] Dependency Graph
09:45:18 INFO [scan]    --- [3/6] Vulnerability Lookup
09:45:47 WARN [results] --- [HIGH] CVE-2023-44487  express@4.18.1  fix: 4.19.2
09:45:47 WARN [results] --- [HIGH] CVE-2024-21538  cross-spawn@7.0.3  fix: 7.0.5
09:45:47 INFO [results] --- [LOW]  CVE-2024-4067   micromatch@4.0.5
09:45:48 INFO [policy]  --- POLICY FAIL — violations detected
09:45:48 INFO [dpndncy] --- Run complete. View results in the web UI.

⚡

One binary. No dependencies.

Download and run — no Node.js, no Python, no package manager required on the scanning machine.

🔒

All engines, one command

Run SCA, SAST, Secrets, AI Risk, and Attack Paths in parallel with a single dpndncy scan --all .

🚦

CI/CD native exit codes

Exit 0 = passed. Exit 1 = policy fail. Use --ci flag for minimal output that won't clutter your pipeline logs.

🖥️

Windows, Linux, macOS

Pre-compiled binaries for all three platforms — use in GitHub Actions, GitLab CI, Jenkins, and Azure DevOps.

$ dpndncy scan .

$ dpndncy scan --all /path/to/project

$ dpndncy scan --ci --sca --sast .

$ dpndncy scan --repo https://github.com/org/repo

$ dpndncy scan --image nginx:latest

Download CLI → CLI Docs

Product Tour

See every layer of your supply chain risk

Real screenshots from the platform — dashboard, vulnerabilities, SAST, attack paths, remediation, governance, and integrations.

dpndncy / scan / overview

DashboardVulnerabilitiesCode & SASTAttack PathsRemediationGovernance

7 feature areas. Full screenshots. Real platform.

Explore every view of the platform with real screenshots and detailed descriptions of what you can do at each step.

Open Product Tour →

Process

From scan to decision in minutes

Choose a scan mode and get dependency risk, code findings, and policy outcomes in one workflow.

Scan Dependencies

Scan a local path, uploaded manifest/zip, GitHub repo, or container image (tarball or registry). dpndncY resolves direct and transitive dependencies, then correlates OSV, NVD, GHSA, EPSS, and CISA KEV.

Analyze Code Context

Use scan mode to enable AI Risk and/or native SAST. dpndncY profiles AI context concentration, structural code risk, and code-level findings for governance and remediation planning.

Correlate Attack Paths

Attack Paths link vulnerable dependencies to code sinks and reachable entry points. Risk amplification highlights combinations where vulnerable packages and higher AI-context code overlap.

Act & Enforce

Assess upgrade risk inline before patching, use remediation guidance and patch targets, and export results (CSV, CycloneDX, UBOM, SARIF, PDF) to fix faster and enforce policy in delivery pipelines.

One platform. Every layer. Self-hosted.

SCA, SAST, IaC, secrets, container, attack paths, exploitability fusion, AI risk, license compliance, auto-fix PRs, and the Dependency Firewall — all under one roof, on your infrastructure, with signed evidence on every decision.

Launch dpndncY → Request a license