Every dpndncY capability sits on the same exploitability signal stack — KEV + EPSS + ExploitDB + reachability + attack-path — and the same DSSE/RS256 signing root. What changes between layers is where the decision lives: in your editor and CI (scan), at install time and on the CI runner (block), or as portable evidence anyone can verify offline (sign).
Find the risk that actually matters.
Every scan resolves dependencies, runs code analysis, and ranks findings using a multi-signal prioritisation engine. The output isn't 12,847 CVEs you can ignore — it's a small ordered list with a verifiable reason for each item.
Multi-ecosystem SCA + exploitability fusion
Direct + transitive dependency resolution across 17 ecosystems (npm, PyPI, Maven, NuGet, Cargo, Go, RubyGems, Composer, Pub, CRAN, Conda, CPAN, OPAM, CocoaPods, SwiftPM, PEAR, Bazel) correlated against OSV, NVD, and GHSA. Each finding enriched with CISA KEV, EPSS, ExploitDB, an exploit-window forecast (EWF), and — for JS/TS — AST-based reachability into your call graph.
Native SAST, IaC, K8s, secrets — one pass
Proprietary SAST engine: 1,500+ rules across 13+ languages (JavaScript, TypeScript, Python, Java, Kotlin, C#, Go, PHP, Ruby, Swift, C/C++, Rust). AST-based taint tracking for JS/TS + Python. IaC for Terraform, CloudFormation (JSON + YAML), Kubernetes manifests. 73-rule secret scanner with high-precision regex + entropy heuristics. Unified results view with SARIF 2.1.0 export.
Container image scanning
OCI tarball parser walks every layer. Per-layer SBOM, vulnerability correlation across 9 in-image ecosystems (Debian, Alpine, RPM, npm, PyPI, Go, Ruby, PHP, .NET), base-image upgrade guidance.
Attack Path Graph
Reachable vulnerabilities mapped from dependency to import to sink to HTTP entry point. Paths scored by reachability weight, sink criticality, CWE class, and AI-code amplification.
AI risk attribution
LOC-weighted attribution of likely-AI-generated regions (git-signal + structural deviation + commit-burst). Co-located with security findings so reviewers concentrate on the highest-leverage code.
Stop risk at install time — and at runtime.
Two enforcement layers share the same policy surface and the same signing root. The Dependency Firewall rejects risky packages before they enter your dependency tree; the eBPF Runtime Agent attaches to four Linux kernel hooks and, in enforce mode, actively denies non-allowlisted egress from your CI runners.
Dependency Firewall — pre-install
Multi-signal decisioning at admission time: CISA KEV, EPSS, ExploitDB, reachability, attack-path, license obligations, and version-pinning rules with maintainer-change alerts. Three rollout modes (observe / soak / enforce). Bypass routed through an approval workflow with audit trail. Registry-proxy mode covers npm, PyPI, Maven, NuGet, RubyGems, Cargo, Go.
eBPF Runtime Agent — on the CI runner
Four CO-RE BPF programs attach to sys_enter_connect, sched_process_exec, security_file_open, and uprobe:libc:getaddrinfo. Every event correlated to the workflow step that caused it (auto-detects 9 CI platforms — GitHub Actions, GitLab CI, Jenkins, CircleCI, Azure Pipelines, Bitbucket Pipelines, Tekton, Buildkite, Drone). In enforce mode, cgroup/connect4 + cgroup/connect6 actively deny non-allowlisted egress — callers see a standard EPERM.
Auto-fix PRs — manifest + lockfile
Opens PRs on GitHub, GitLab, and self-hosted instances. Manifest patcher covers 9 formats (package.json, requirements.txt, pom.xml, go.mod, Cargo.toml, packages.config, composer.json, Gemfile). Lockfile patcher handles 7 (package-lock.json, yarn.lock, pnpm-lock.yaml, poetry.lock, Pipfile.lock, Cargo.lock, Gemfile.lock). Pre-flight breaking-change analysis in the PR description.
Policy gates
Define thresholds for severity counts, CVSS ceilings, unresolved licenses, exploitability conditions. PASS/FAIL exit codes for CI/CD. Policy-as-code; tenant-scoped.
Notifications & ticketing
Native Slack (Block Kit), Microsoft Teams (Adaptive Card), Discord (embed), generic webhooks. Native Jira and Linear with round-trip status updates.
Portable, offline-verifiable evidence on every decision.
Every firewall verdict, every scan result, every CI runtime trace is wrapped in a DSSE envelope over a SLSA-style in-toto Statement and signed with the dpndncY keypair. A standalone dpndncy-verify binary ships with the platform — auditors, downstream pipelines, K8s admission controllers, or your customer's security team can verify the evidence offline with the public key alone.
Decision engine + signed JWS evidence
Every vulnerability receives a prioritised decision — Patch Now (48h), Patch This Sprint (336h), Monitor (720h), or Accept Risk — computed from EPSS, CISA KEV, ExploitDB, reachability, and CVSS. The decision and every contributing signal (with source URLs and timestamps), plus the policy version applied, are recorded in a structured evidence package. DSSE-signed firewall and scan attestations are on the roadmap; runtime traces are DSSE-signed today.
SLSA in-toto v1 attestations for CI/CD runs
At the end of every CI run the agent emits a DSSE envelope wrapping an in-toto Statement of type https://dpndncy.io/agent/runtime-trace/v1 — per-kind event counts, deduplicated egress destinations, exec summary, DNS hostnames, and the SHA-256 of the full event-log NDJSON. Optional Sigstore-keyless mode when an OIDC token is available (Fulcio cert + Rekor log entry).
SBOM exports
CycloneDX 1.5, SPDX. SARIF 2.1.0 for SAST findings. Diff-from-last-known on every scan.
Offline verifier binary
dpndncy-verify trace.intoto.jsonl --public-key agent-pub.pem — single static Linux binary, no network calls, prints a human summary and exits 0 on verification.
The platform, measured.
Run dpndncY on your infrastructure.
Read its decisions. Verify them offline.
Self-hosted, fully air-gappable, no telemetry. Every decision the platform makes is signed and verifiable with a public key.