dpndncY

Run dpndncY in a fully air-gapped environment.

Zero outbound network calls. The image is self-contained and advisory data is loaded from offline bundles — the default posture for regulated and classified environments.

1. Move the image across the gap

On a connected host, export the all-in-one image to a file; carry it in; load it on the target.

transfer image
# connected host
docker pull ghcr.io/dpndncy/server:latest
docker save ghcr.io/dpndncy/server:latest | gzip > dpndncy-image.tar.gz

# air-gapped host
gunzip -c dpndncy-image.tar.gz | docker load

Or use the prebuilt VM image — it boots with the container already baked in, no registry access required.

2. Start in air-gapped mode

run
docker run -d --name dpndncy --restart unless-stopped \
  -p 8080:8080 -v dpndncy-data:/data \
  -e DPNDNCY_AIRGAPPED=1 \
  -e DPNDNCY_SIGNING_KEY_PATH=/data/keys/signing.key \
  ghcr.io/dpndncy/server:latest

DPNDNCY_AIRGAPPED=1 disables every outbound call (registry metadata, live advisory APIs, telemetry — there is no telemetry regardless).

3. Advisory + signature data via offline bundles

  • Vulnerability data — OSV / NVD / GHSA / KEV / EPSS / ExploitDB are loaded from a signed offline bundle, refreshed from a side-channel host on your schedule.
  • Signature corpus — the binary/source fingerprint corpus ships as a file and is mounted into /data; rebuild or extend it offline with the bundled corpus builder.
  • SCA resolution — lockfile-based ecosystems resolve fully offline. Registry-assisted resolution (e.g. Maven transitive fetch) requires an internal mirror.
Signing keys
Sigstore keyless signing is unavailable without network. Air-gapped installs use a local keypair (DPNDNCY_SIGNING_KEY_PATH); verify attestations with the offline dpndncy-verify binary and your public key.