Block risky packages before install — then prove the decision

Block risky packages before they enter node_modules, site-packages, or your local Maven repo. Multi-signal decisioning combines KEV, EPSS, ExploitDB, JS/TS reachability, attack-path graphs, license obligations, and trust-delta gating (alerts on trust-score drops vs. last approved version — catches typosquats and takeovers absolute thresholds miss). Three modes: Enforce, Soak / monitor-only, Review. Bypass requires a signed waiver, expiring token, or human approver — bypass attempts themselves audited.

Dependency tree resolution with transitive visibility, lockfile parsing, and package metadata normalization across 17 ecosystems: npm, Maven, PyPI, Go, Cargo, Composer, NuGet, RubyGems, C/C++, CPAN, CRAN, Dart, Hex, OPAM, Swift, plus generic fallback.

Correlates OSV, NVD, and GHSA advisories, then enriches findings with CVSS details, EPSS probability, and CISA KEV status. Filter by match type (range or exact version) to isolate advisory classes for review.

Combines external exploit signals (EPSS / KEV) with available code-level context and package usage evidence to prioritize real risk first.

Detects and normalizes license metadata, flags unknown or unresolved entries, and provides package-level evidence for legal review.

Define thresholds for severity counts, CVSS ceilings, unresolved licenses, and exploitability conditions. Get explicit PASS / FAIL verdicts.

Export CycloneDX SBOM, SARIF, CSV, UBOM, and PDF outputs with correlated findings and remediation context for audit and pipeline workflows.

Parse Docker-save tarballs across 9 ecosystems inside container layers (Debian, Alpine, RPM, npm, PyPI, Go, Ruby, PHP, Rust, .NET). OCI tar parser handles every layer's package manifest; SBOM and vuln correlation per image layer.

Terraform, CloudFormation (JSON + YAML), and Kubernetes manifests. Detects privilege-escalation (CWE-269), path traversal (CWE-22), insecure capability/host settings, and CIS-aligned misconfigurations across the IaC layer.

731-rule secret scanner covering AWS keys, GCP service accounts, Azure credentials, GitHub/GitLab tokens, OpenAI/Anthropic API keys, private keys, JWTs, database connection strings, and many more. Inline suppression supported.

Assess the net security risk of any version upgrade before patching. Compare vulnerability exposure on both the current and target version, surface compatibility changes, and get a clear upgrade recommendation — directly inside the vulnerability detail panel.

AST-based taint analysis for JavaScript/TypeScript and Python, plus deep pattern analysis across Java, C#, Go, PHP, Ruby, Kotlin, C/C++, IaC, and GraphQL. Tracks data flow from user-controlled sources through sanitizers to dangerous sinks — detecting injection flaws, path traversal, SSRF, XSS, hardcoded secrets, and more.

Visualizes how reachable vulnerabilities connect through your dependency tree to potential exploit entry points. Each path is scored by reachability, sink type, CWE mapping, and AI-code amplification.

Estimates the proportion of AI-assisted code in your repository using git-signal analysis and style heuristics. Surfaces AI-code co-location with security findings for informed risk attribution.

Every vulnerability gets a prioritized instruction — Patch Now, Patch This Sprint, Monitor, or Accept Risk — from EPSS scores, CISA KEV status, reachability signals, and exploit database presence. Includes SLA timelines and human-readable rationale per finding.

Automatically open pull requests on GitHub, GitLab, and self-hosted instances with version bumps and lockfile regeneration for fixable vulnerabilities. Includes breaking-change analysis, manifest patching across 9 ecosystems, and PR decoration with the full evidence bundle. Select specific CVEs, configure the target branch, and track PR status from the monitoring dashboard.

Auto-detected by hostname: Slack (Block Kit), Microsoft Teams (Adaptive Card), Discord (embed), generic JSON webhook. Severity-coded alerts on new findings, policy failures, and firewall blocks. Email (SMTP) supported in parallel.

Native Jira and Linear integration. Auto-create tickets from findings or firewall events with severity, evidence bundle link, and remediation guidance attached. Round-trip status updates back to dpndncY.

Automatic per-scan snapshots with the full risk-vector preserved. Historical trend engine surfaces risk-over-time per project, per ecosystem, per severity, and per finding type — so the security review meeting starts with "what changed since last month."

Per-package health score combining maintainer count, release cadence, install scripts, license clarity, and vulnerability history. Surfaces low-health packages independent of their CVE status — future risk indicators, not just known vulns.

Beyond allow/deny: surfaces the actual obligations triggered by each license (attribution, source disclosure, copyleft scope, patent grant, NOTICE file requirements). Generates the obligation manifest your legal team needs.

Scan your open workspace, view SBOM and vulnerability results, and check individual package risk — all within VS Code. Authenticates with your dpndncY instance via Personal API Token.

17 built-in policy templates tuned for regulated industries — FedRAMP, HIPAA, PCI-DSS, ISO 26262 (automotive), NERC CIP (energy), DoD STIG, telecommunications, IoT, gaming, healthcare, and more. Presets auto-apply to workspace scans and are selectable per monitored project.