From install-time block to remediated PR — one workflow

Every {ecosystem, name, version} request hits the firewall first. Multi-signal decisioning combines KEV, EPSS, ExploitDB, reachability, license obligations, and trust-delta. Sub-second on cache hits. Allow / Block / Review — with a signed JWS attestation on every decision.

Scan via project path, GitHub/GitLab repo, manifest upload, zip, or container image (Docker-save tarball). dpndncY resolves direct and transitive dependencies across 17 ecosystems and runs SAST on source code in the same pass — 404 rules across 13+ languages, plus IaC (Terraform, CloudFormation, Kubernetes) and 731-rule secret detection.

Vulnerability data (OSV / NVD / GHSA), CVSS, EPSS probability, CISA KEV status, ExploitDB cross-reference, JS/TS reachability, attack-path graphs, license obligations, dependency health scores, and SAST code findings are merged and deduplicated into a unified result set.

The decision engine assigns every finding a patch instruction — Patch Now (48h), Patch Sprint (336h / 14d), Monitor (720h / 30d), or Accept — with SLA and rationale. Security policies gate on severity, CVSS, exploitability, license obligations. Each decision is signed as a JWS attestation, verifiable offline with the dpndncY public key.

Check upgrade risk delta to understand net exposure before patching. Auto-generated remediation PRs on GitHub, GitLab, and self-hosted instances handle 9 manifest types and 7 lockfile formats — with breaking-change analysis attached to the PR description so reviewers see what changed.

Continuous monitoring re-scans projects on configurable schedules. Native Slack / Teams / Discord / webhook / email alerts when new vulnerabilities appear or firewall blocks fire. Trend snapshots track risk-over-time per project, ecosystem, and severity. Jira and Linear tickets auto-created with the evidence bundle attached.