Block typosquats. Stop takeovers. Sign every decision.
The Dependency Firewall plugs into the workflows you already have — package managers, SCM, IDE, CI/CD, ticketing, chat. Every team in the release path gets the same evidence trail; each role consumes a different view of it.
Supply chain attacks
Block typosquats and package takeovers at install time
Trust-delta gating fires when a package's trust score drops vs. the last approved version — the signal that catches takeovers and lookalikes that absolute thresholds miss. The firewall blocks the install before the malicious code lands.
Active exploitation
CISA KEV-listed packages refused at install
When CISA publishes a new KEV entry, the firewall starts refusing installs of the affected version automatically. Existing dependents are flagged with Patch Now (48h SLA) decisions, signed and exported.
Audit & compliance
Cryptographically verifiable evidence for every decision
Every allow / block / bypass / Patch-Now / Accept-Risk decision carries a JWS attestation with rationale and signal evidence. Auditors verify offline with the dpndncY public key — strictly better than a PDF report template.
Air-gapped environments
Self-hosted firewall, no cloud dependency
Government contractors, defense, regulated finance, healthcare. The firewall runs on-prem; package vulnerability data is mirrored locally. Install-time decisions happen against a local proxy — no external network access required at runtime.
Polyglot codebases
One firewall across npm, PyPI, Maven, NuGet, RubyGems, Cargo, Go
One policy, one evidence format, one operator UI — whether your team installs via npm, pip, Maven, NuGet, gem, cargo, or go. SAST and IaC scanning in the same platform across 13+ languages.
License legal review
Block GPL contamination before it lands
License obligations engine surfaces the actual obligations triggered by each license — copyleft scope, attribution, source disclosure, NOTICE file requirements. Pre-install enforcement keeps incompatible licenses out of the tree to begin with.
By role
Same data, role-specific view
Developers & DevOps
Ship faster, ship safer
Configure your package manager once; the firewall handles the rest. Auto-fix PRs cover 9 manifest types and 7 lockfile formats with breaking-change analysis. CLI for any CI/CD pipeline. VS Code extension for inline diagnostics.
AppSec & Security
Pre-install enforcement, not post-scan triage
Multi-signal decisioning (KEV, EPSS, ExploitDB, reachability, attack-path, trust-delta) drives both firewall blocks and post-scan prioritization. Decision-engine assigns SLA-bound triage outcomes with rationale. Signed evidence on everything.
CISOs & Leadership
Auditor-grade evidence by default
Every decision the firewall makes — and every Patch-Now or Accept-Risk decision the platform makes — produces a signed JWS attestation. Trend snapshots show risk-over-time. Compliance evidence map covers SOC 2, ISO 27001, PCI-DSS controls.
Block them before they're installed.
Snyk finds them after. dpndncY blocks them before — and signs the proof. Self-hosted, multi-tenant, with the deepest exploitability stack on the market.
