Dependency Security Auditor

Continuous scanning of dependencies with CVE tracking, auto-PR remediation

View the interactive project page →

Dependency Security Auditor

An AI-native software composition analysis (SCA) platform that democratizes vulnerability management for open-source projects and development teams.

The Problem

Software supply chain attacks are accelerating, yet 90% of reported CVEs in deployed dependencies are unreachable and pose no actual risk. Current SCA tools force developers to choose between:

  • Commercial tools (Snyk, Endor Labs) that lock reachability analysis and fix intelligence behind expensive per-seat pricing
  • Open-source tools (Trivy, Grype) that detect vulnerabilities but cannot explain which ones actually matter
  • DIY approaches that consume significant engineering bandwidth for minimal noise reduction

The market for SCA is growing at 20–22% CAGR to reach $1.7–6.7B by 2030, yet the gap between detection and intelligent remediation remains unfilled by open-source alternatives.

The Opportunity

Build an AI-native auditor that provides:

  1. Reachability-as-standard, not premium: Use LLM-assisted call graph analysis to determine whether vulnerable code is actually callable from application entry points. Endor Labs reports 90%+ false-positive reduction using this approach—now available as open-source infrastructure.

  2. Intelligent fix-PR generation beyond version bumps: When a fix requires API migration, interface changes, or configuration updates, AI analyzes the changelog and generates the actual code modifications needed—not just a version pin.

  3. Prioritization beyond CVSS scores: Combine CVSS + EPSS exploit probability + repository-specific reachability data + threat feeds to generate a genuinely ranked remediation queue, surfacing the 5% of CVEs that warrant action versus the 95% that are theoretical risks.

  4. Supply chain provenance reasoning: Detect anomalous package behavior patterns—unusual permission requests, unexpected network calls in post-install hooks, suspicious maintainer takeovers—that precede CVE publication.

  5. Policy-as-code with natural language: Accept organizational dependency rules in plain language, translate them into enforceable policies, and explain violations to developers without requiring YAML/Rego expertise.

Market Context

  • Market size: $585M–$614M in 2024; projected 19.8–25.6% CAGR to $1.7–6.7B by 2030
  • Buyer personas: AppSec engineers, platform/DevOps teams, legal/compliance officers, open-source maintainers, security architects
  • Competitive landscape: Snyk ($7.4B valuation peak), Endor Labs ($70M Series A), GitHub Dependabot (free, but limited), open-source tools (Trivy, Grype, OSV-Scanner)
  • EU Cyber Resilience Act (2027): Mandates SBOM inclusion and continuous vulnerability monitoring—regulatory tailwind

Key Features

MVP

  • Multi-ecosystem vulnerability scanning (npm, pip, Maven, Go, Cargo, RubyGems, NuGet)
  • OSV.dev + NVD + GitHub Advisory vulnerability database integration
  • CVSS + EPSS composite risk scoring with remediation priority ranking
  • SBOM generation (CycloneDX and SPDX)
  • Automated fix PR generation for version-bump remediations
  • GitHub, GitLab, Bitbucket PR decoration and CI/CD CLI gates

v1.1 Enhancements

  • Call-graph-based reachability analysis to suppress non-exploitable findings
  • AI-powered fix PRs handling API migrations and interface changes
  • License compliance scanning with configurable policy enforcement
  • Container image scanning (OS packages + language dependencies)
  • Natural-language policy authoring

Vision (Backlog)

  • Supply chain behavioral anomaly detection (pre-CVE suspicious activity)
  • IaC misconfiguration detection (Terraform, Kubernetes, Dockerfile)
  • SLSA attestation and Sigstore signature verification
  • Multi-repo SBOM management dashboard with organizational aggregation

Research & References

This project is grounded in peer-reviewed research and industry data:

  • Zahan et al. (2025): "Research Directions in Software Supply Chain Security" — practitioners need reachability/exploitability data; no current SCA tool provides sufficient information
  • Deng et al. (2025): "Supply Chain Reaction" — function call graphs can identify unreachable CVEs; recommend SBOMs with embedded call graphs
  • Wermke et al. (2024): "Understanding vulnerabilities in software supply chains" — quantitative study of how dependency relationships amplify security threats
  • 2025 Software Supply Chain Security Reports (Black Duck/Ponemon, Recorded Future) — document enterprise vulnerability backlogs, MTTR metrics, and organizational readiness

Technology Stack Considerations

  • Language/ecosystem agnostic: Leverage AST analysis and LLM code understanding for 40+ ecosystems
  • Open-source foundations: Build on Trivy, Grype/Syft, or OSV-Scanner as baseline scanners
  • Reachability engine: LLM-assisted call graph construction (Tree-sitter for parsing, BERT/GPT for semantic analysis)
  • Policy engine: Natural-language-to-code translation (Rego, OPA output)
  • SBOM standards: CycloneDX 1.5, SPDX 2.3 generation and validation

Why Now?

  • Regulatory momentum: EU CRA (2027) and US Executive Orders (EO 14028) mandate SBOM and supply chain risk controls
  • OpsGenie EOL (2027): Creates adjacent opportunity for comprehensive DevOps consolidation
  • Academic validation: 2025 peer-reviewed papers proving reachability analysis reduces false positives by 90%+
  • Open-source demand: Majority of ecosystem relies on community tools; commercial alternatives inaccessible to non-profit projects and cost-sensitive teams

Status: Research complete (April 2026) | Research Files: research.md, features.md