v4.0.0 - Dependency Vulnerability Scanner
Dependency Vulnerability Scanner
Every third-party package is a potential supply chain risk. SecureScope now queries OSV.dev - Google's open vulnerability database - for every dependency found in your repository. No API key required.
What's New
- Auto-discovery - finds all package manifests automatically, no configuration needed
- 7 ecosystems - PyPI, npm, Go, Maven, RubyGems, Cargo, Packagist
- OSV.dev batch API - efficient bulk CVE lookup for every pinned dependency
- CVSS scoring - Critical / High / Medium / Low severity with numeric score
- Fixed version - every finding shows the exact version to upgrade to
- Integrated into main scan - runs automatically on every repo scan alongside SAST, secrets, and ransomware
- Standalone dashboard panel - scan any repo or local path independently
Supported Manifest Files
| Ecosystem | Files |
|---|---|
| PyPI (Python) | requirements.txt, requirements-dev.txt, requirements-test.txt |
| npm (Node.js) | package.json, package-lock.json |
| Go | go.mod |
| Maven (Java) | pom.xml |
| RubyGems | Gemfile.lock |
| Cargo (Rust) | Cargo.lock |
| Packagist (PHP) | composer.json |
Why Dependency Scanning?
Log4Shell, XZ Utils backdoor, event-stream - the biggest breaches of recent years weren't code bugs, they were vulnerable or malicious dependencies. OSV.dev aggregates CVEs from GitHub Advisory, NVD, and ecosystem-specific databases into a single queryable API.
Built by Omar Rao - Engineer, Data Resilience, Cybersecurity and Privacy