Skip to content

v4.0.0 - Dependency Vulnerability Scanner

Choose a tag to compare

@OmarRao OmarRao released this 17 Jun 14:44

Dependency Vulnerability Scanner

Every third-party package is a potential supply chain risk. SecureScope now queries OSV.dev - Google's open vulnerability database - for every dependency found in your repository. No API key required.

What's New

  • Auto-discovery - finds all package manifests automatically, no configuration needed
  • 7 ecosystems - PyPI, npm, Go, Maven, RubyGems, Cargo, Packagist
  • OSV.dev batch API - efficient bulk CVE lookup for every pinned dependency
  • CVSS scoring - Critical / High / Medium / Low severity with numeric score
  • Fixed version - every finding shows the exact version to upgrade to
  • Integrated into main scan - runs automatically on every repo scan alongside SAST, secrets, and ransomware
  • Standalone dashboard panel - scan any repo or local path independently

Supported Manifest Files

Ecosystem Files
PyPI (Python) requirements.txt, requirements-dev.txt, requirements-test.txt
npm (Node.js) package.json, package-lock.json
Go go.mod
Maven (Java) pom.xml
RubyGems Gemfile.lock
Cargo (Rust) Cargo.lock
Packagist (PHP) composer.json

Why Dependency Scanning?

Log4Shell, XZ Utils backdoor, event-stream - the biggest breaches of recent years weren't code bugs, they were vulnerable or malicious dependencies. OSV.dev aggregates CVEs from GitHub Advisory, NVD, and ecosystem-specific databases into a single queryable API.


Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy