Dependency Firewall — pre-install enforcement
Block risky packages before they enter your dependency tree. Multi-signal decisioning combines KEV, EPSS, ExploitDB, reachability, attack-path graphs, license obligations, and trust-delta gating — all sub-second on cache hits. Three rollout modes (Enforce, Soak / monitor-only, Review). Bypass requires signed waivers, expiring tokens, or human approvers — bypass attempts themselves audited. Every decision carries a signed JWS attestation, verifiable offline with the licensing public key.
Pre-install block
Trust-delta gating
Signed JWS evidence
Soak / Enforce / Review modes
npm / PyPI / Maven / NuGet / RubyGems / Cargo / Go
Sub-second cache hits
Hidden Dependency Risk (IDR)
Surfaces transitive risk concentration and blast-radius context so teams can see where a small set of vulnerable packages affects many dependents.
Transitive risk scoring
Vulnerable node mapping
Coverage confidence
Exploitability Forecast
Projects near-term exploitation likelihood using EPSS-based probabilities and risk heuristics to support triage sequencing.
EWF
Supply Chain Trust
Scores dependency trust with explainable factors and package-level patch guidance (recommended target, impact level, and alternatives).
Trust Score
Continuous Monitoring
Re-scan projects over time and track drift in vulnerability posture, license outcomes, exploitability state, and policy compliance.
Scheduled scans
Drift alerts
Scan history
Multi-project
Governance & operations
Centralized settings for profile, API tokens, and policy configuration, plus audit-friendly exports and scan evidence views.
Settings hub
API tokens
Security policies
Audit-ready evidence
SAST & code analysis
Proprietary static analysis engine runs in the same scan workflow as SCA. 404 rules across 13+ languages. AST-based taint tracking for JavaScript/TypeScript and Python; deep pattern analysis across Java, C#, Go, PHP, Ruby, Kotlin, Scala, Swift, Dart, Apex, VB.NET, Objective-C, C/C++, plus IaC (Terraform, CloudFormation, Kubernetes), and GraphQL. Findings appear alongside dependency vulnerabilities in a unified results view with SARIF 2.1.0 export.
404 rules
13+ languages
AST taint tracking
Source → sink data flow
SARIF 2.1.0 output
Inline suppression
Decision engine & signed evidence
Every vulnerability and every firewall request gets a prioritized decision — Patch Now (48h), Patch This Sprint (336h), Monitor (720h), or Accept Risk — from EPSS scores, CISA KEV status, ExploitDB presence, reachability signals, and CVSS context. Decisions are emitted as signed JWS attestations containing the rationale, all signal evidence with source URLs and timestamps, the policy ID applied, and the trust delta. Verifiable offline with the dpndncY public key.
SLA-bound decisions
Signed JWS attestation
Public-key verification
Auditor-grade evidence
Auto-fix PRs with breaking-change analysis
Open pull requests on GitHub, GitLab, and self-hosted instances with version bumps and lockfile regeneration for fixable vulnerabilities. Manifest patcher covers package.json, requirements.txt, pom.xml, go.mod, Cargo.toml, packages.config, composer.json, Gemfile. Lockfile patcher handles package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, Pipfile.lock, Cargo.lock, Gemfile.lock. Includes pre-flight breaking-change analysis so the PR description shows what changed in the upgrade target.
GitHub + GitLab + self-hosted
9 manifest types
7 lockfile types
Breaking-change analysis
License obligations
Beyond allow/deny: surfaces the obligations triggered by each license — attribution, source disclosure, copyleft scope, patent grant, NOTICE files. SPDX-aligned. Generates the obligation manifest for legal review.
SPDX
Obligation graph
Copyleft scope
Notifications & ticketing
Native Slack (Block Kit), Microsoft Teams (Adaptive Card), Discord (embed), and generic webhooks — auto-detected by hostname. Native Jira and Linear ticketing with round-trip status updates. Email (SMTP) for legacy paths.
Slack · Teams · Discord
Jira · Linear
Webhook · Email
Attack Path Graph
Maps reachable vulnerabilities through your dependency graph to potential exploit entry points. Each path is scored by reachability weight, sink criticality, CWE class, and AI-code amplification factor. Visualized as a force-directed graph with scored path list and explain panel.
Force-directed graph
Path scoring
CWE mapping
AI amplification factor
AI risk attribution
Estimates AI-assisted code proportion via git-signal analysis and style heuristics. Co-locates AI-code concentration with security findings so reviewers can apply appropriate scrutiny.
Git signal analysis
Style heuristics
Finding co-location
Enterprise authentication & multi-tenancy
SAML 2.0 and OIDC single sign-on, TOTP-based MFA with per-user lockout policy, four-level RBAC (Owner / Admin / Analyst / Viewer), JWT signing key rotation, and tamper-evident audit logs with cursor-paginated export. Fully self-hosted — no telemetry, no cloud dependency, your data stays on your infrastructure.
SAML 2.0
OIDC
MFA (TOTP)
RBAC
JWT rotation
Audit logs
Self-hosted
