claude
A variant of Dependency Security Auditor.
View the interactive variant page →
Dependency Security Auditor
An AI-native software composition analysis (SCA) platform that democratizes vulnerability management for open-source projects and development teams.
The Problem
Software supply chain attacks are accelerating, yet 90% of reported CVEs in deployed dependencies are unreachable and pose no actual risk. Current SCA tools force developers to choose between:
- Commercial tools (Snyk, Endor Labs) that lock reachability analysis and fix intelligence behind expensive per-seat pricing
- Open-source tools (Trivy, Grype) that detect vulnerabilities but cannot explain which ones actually matter
- DIY approaches that consume significant engineering bandwidth for minimal noise reduction
The market for SCA is growing at 20–22% CAGR to reach $1.7–6.7B by 2030, yet the gap between detection and intelligent remediation remains unfilled by open-source alternatives.
The Opportunity
Build an AI-native auditor that provides:
-
Reachability-as-standard, not premium: Use LLM-assisted call graph analysis to determine whether vulnerable code is actually callable from application entry points. Endor Labs reports 90%+ false-positive reduction using this approach—now available as open-source infrastructure.
-
Intelligent fix-PR generation beyond version bumps: When a fix requires API migration, interface changes, or configuration updates, AI analyzes the changelog and generates the actual code modifications needed—not just a version pin.
-
Prioritization beyond CVSS scores: Combine CVSS + EPSS exploit probability + repository-specific reachability data + threat feeds to generate a genuinely ranked remediation queue, surfacing the 5% of CVEs that warrant action versus the 95% that are theoretical risks.
-
Supply chain provenance reasoning: Detect anomalous package behavior patterns—unusual permission requests, unexpected network calls in post-install hooks, suspicious maintainer takeovers—that precede CVE publication.
-
Policy-as-code with natural language: Accept organizational dependency rules in plain language, translate them into enforceable policies, and explain violations to developers without requiring YAML/Rego expertise.
Market Context
- Market size: $585M–$614M in 2024; projected 19.8–25.6% CAGR to $1.7–6.7B by 2030
- Buyer personas: AppSec engineers, platform/DevOps teams, legal/compliance officers, open-source maintainers, security architects
- Competitive landscape: Snyk ($7.4B valuation peak), Endor Labs ($70M Series A), GitHub Dependabot (free, but limited), open-source tools (Trivy, Grype, OSV-Scanner)
- EU Cyber Resilience Act (2027): Mandates SBOM inclusion and continuous vulnerability monitoring—regulatory tailwind
Key Features
MVP
- Multi-ecosystem vulnerability scanning (npm, pip, Maven, Go, Cargo, RubyGems, NuGet)
- OSV.dev + NVD + GitHub Advisory vulnerability database integration
- CVSS + EPSS composite risk scoring with remediation priority ranking
- SBOM generation (CycloneDX and SPDX)
- Automated fix PR generation for version-bump remediations
- GitHub, GitLab, Bitbucket PR decoration and CI/CD CLI gates
v1.1 Enhancements
- Call-graph-based reachability analysis to suppress non-exploitable findings
- AI-powered fix PRs handling API migrations and interface changes
- License compliance scanning with configurable policy enforcement
- Container image scanning (OS packages + language dependencies)
- Natural-language policy authoring
Vision (Backlog)
- Supply chain behavioral anomaly detection (pre-CVE suspicious activity)
- IaC misconfiguration detection (Terraform, Kubernetes, Dockerfile)
- SLSA attestation and Sigstore signature verification
- Multi-repo SBOM management dashboard with organizational aggregation
Research & References
This project is grounded in peer-reviewed research and industry data:
- Zahan et al. (2025): "Research Directions in Software Supply Chain Security" — practitioners need reachability/exploitability data; no current SCA tool provides sufficient information
- Deng et al. (2025): "Supply Chain Reaction" — function call graphs can identify unreachable CVEs; recommend SBOMs with embedded call graphs
- Wermke et al. (2024): "Understanding vulnerabilities in software supply chains" — quantitative study of how dependency relationships amplify security threats
- 2025 Software Supply Chain Security Reports (Black Duck/Ponemon, Recorded Future) — document enterprise vulnerability backlogs, MTTR metrics, and organizational readiness
Technology Stack Considerations
- Language/ecosystem agnostic: Leverage AST analysis and LLM code understanding for 40+ ecosystems
- Open-source foundations: Build on Trivy, Grype/Syft, or OSV-Scanner as baseline scanners
- Reachability engine: LLM-assisted call graph construction (Tree-sitter for parsing, BERT/GPT for semantic analysis)
- Policy engine: Natural-language-to-code translation (Rego, OPA output)
- SBOM standards: CycloneDX 1.5, SPDX 2.3 generation and validation
Why Now?
- Regulatory momentum: EU CRA (2027) and US Executive Orders (EO 14028) mandate SBOM and supply chain risk controls
- OpsGenie EOL (2027): Creates adjacent opportunity for comprehensive DevOps consolidation
- Academic validation: 2025 peer-reviewed papers proving reachability analysis reduces false positives by 90%+
- Open-source demand: Majority of ecosystem relies on community tools; commercial alternatives inaccessible to non-profit projects and cost-sensitive teams
Status: Research complete (April 2026) | Research Files: research.md, features.md