SCA across 17 ecosystems, SAST (1,500+ rules, 13+ languages), IaC (Terraform / CloudFormation / Kubernetes), high-precision secrets, container OCI, JS/TS reachability, attack-path graph. Triggered from VS Code, the CLI, CI/CD, or a scheduled monitor.

Every finding is enriched with CISA KEV status, EPSS exploitation probability, ExploitDB entry IDs, forecasted exploit window, reachability proof (JS/TS), attack-path score, license obligations, and CVSS context. Multi-signal — not raw CVE count.

Policy engine outputs Patch Now (48h), Patch This Sprint (336h), Monitor (720h), or Accept Risk, with rationale per signal. Same decision pipeline whether the input is a scan finding, a firewall admission request, or a CI runtime event.

Pre-install: Dependency Firewall rejects bad packages before they enter your tree, via package-manager registry proxy. Runtime: eBPF cgroup-BPF on the CI runner denies non-allowlisted egress with a standard EPERM. Three rollout modes — observe → soak → enforce.

Auto-fix PRs on GitHub, GitLab, and self-hosted instances. Manifest patcher covers 9 formats, lockfile patcher 7. Breaking-change analysis included in PR body so you know before you merge.

Every decision wrapped in a DSSE envelope over a SLSA in-toto Statement, signed with your keypair. Standalone dpndncy-verify binary checks offline with the public key alone. Optional Sigstore-keyless when OIDC token available.