A vulnerability scanner for container images and filesystems

Library to ingest and generate VEX documents

Pure-Rust Android decompiler and security-audit suite. DEX → Java, Hermes → JavaScript. Cross-layer taint across the React Native bridge. CycloneDX SBOM + OpenVEX. CLI and MCP. Bytecode is not a security layer.

CA9 is a local evidence engine for Python AppSec triage. It sits after scanners and before engineers waste time, proving which findings matter.

SBOM diff with supply-chain risk signals — flags new CVEs, typosquats, and young maintainers on changed deps. Built after axios (Mar 2026), Shai-Hulud, and xz.

Java library for generating, consuming, and operating on OpenVEX documents

.NET types for OpenVEX documents

Threat-informed CLI for prioritizing known CVEs with NVD, EPSS, KEV, ATT&CK, VEX, and asset context

VEX document crawler and aggregator

A GitHub Action that merges VEX statement files together into a single merged file for use with other tooling

VEX statements for SUSE Observability product images. Consumable by Trivy via --vex repo.

APK / AAB / XAPK parser and security analysis library. Signing v1–v4 + ROCA / Fermat / Wiener / batch-GCD. CycloneDX SBOM with .rodata byte anchors. OpenVEX. YARA-X. Pure Rust.