Lockfile-first scanner for compromised npm/PyPI/Maven/Cargo/Go/RubyGems packages — OSV + curated extras feed, SLSA L3, locked-container CI

🛡️ Blazing fast Supply Chain Security tool written in Rust. Features ephemeral sandboxing, hybrid analysis (CVE + Heuristics), and entropy-based malware detection.

Real-time npm/PyPI supply-chain threat detection. Behavioral chain analysis, AST scanning, IOC feeds, and compound scoring engine.

Deterministic, reachability-aware software composition analysis (SCA) engine — lockfile-first resolution, function- & cross-package reachability, patch-diff symbol mining, EPSS/KEV, SARIF + OpenVEX. Zero runtime dependencies.

GuOx: Ultimate enterprise‑grade, AI & WASM‑powered Express security framework.

Paste your manifest. Get back the fixed files. Free browser-based dependency security fixer — npm, PyPI, Ruby, PHP. No login. No CLI.

Open-source local dependency and vulnerability scanner for Java (Maven/Gradle) and JavaScript (npm) projects.

Ubel is a fast, cross‑ecosystem security engine that resolves dependencies, generates PURLs, scans them through OSV.dev, and enforces security policies during installation to prevent supply-chain attacks. It works with: PyPI (via ubel-pip), npm (via ubel-npm),and Linux distributions (Ubuntu-based, Debian-based, RHEL, AlmaLinux).

Supply-chain security and dependency analysis tool for the npm ecosystem

Free dependency vulnerability scanner — scans full transitive tree for CVEs. Supports npm, PyPI, Maven. No signup.

Shell script to detect TanStack npm supply chain attack indicators (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx)

Scan projects for CVEs in AI-generated dependencies. Zero API calls. Works offline.

supply chain scanner for NPM and pypi

Cross-ecosystem dependency security scanner. Detects the axios RAT supply chain attack and similar threats. 4-layer detection: AST analysis, behavioral fingerprinting, dep graph profiling, registry metadata. Scans npm/PyPI/Cargo/Brew. Zero dependencies.

AI-powered open source license compliance scanner. Analyzes how dependencies are actually used — not just what license they have — to determine if obligations trigger for your distribution model. Multi-agent AI pipeline, MCP server for Claude Code integration, and structured output for AI assistants. Zero API keys needed for local use.

DepScope — Package Intelligence for AI Agents. 22 MCP tools, 19 ecosystems, free, no auth. https://depscope.dev

Scan your npm/Python dependency READMEs for prompt-injection instructions aimed at coding agents before you install — JSON output for CI

A unified Python desktop and CLI security scanner orchestrating dependency auditing, secrets detection, SAST, IaC linting, and web vulnerability analysis.

Offline Go scanner that catches prompt-injection instructions hidden in third-party dependency prose (README/CHANGELOG/docstring) before your coding agent runs them — single static binary, SARIF output

Multi-ecosystem SBOM scanner with interactive HTML report, dependency tree, and CVE scanning. Supports npm, PyPI, Dart, Maven/Gradle, Rust/Cargo.