Dependency-vulnerability scanner

The dependency module reads manifest files (npm, PyPI, Composer, Maven, RubyGems, Cargo, Go modules) and cross-references each pinned version against public vulnerability databases.

What we check against

• OSV.dev — Google's open-source vulnerability database, the primary source.
• NVD CVSS — severity scoring.
• EPSS — exploit-prediction scoring (probability the vuln will be actively exploited within 30 days).
• CISA KEV — Known Exploited Vulnerabilities catalog (US government).

What you see

Each finding contains:

• Package name and version.
• CVE / advisory ID.
• CVSS score and severity.
• EPSS probability (if available).
• KEV flag if listed by CISA.
• Recommended fixed version.
• Exploit-availability hint (public POC vs theoretical).

Manual upload

If we cannot reach your repo (private, on-prem), POST your manifest to /api/v1/dependency/upload with API-key auth. We support all 7 ecosystems above.

GitHub App integration

If the GitHub App is installed, every PR that changes a manifest is scanned automatically and inline review comments are posted on the affected lines.

Frequency

Daily for connected repos. Manual uploads are scanned on-demand.