Vulnerabilities
The vulnerability scanner analyses your dependency tree against multiple vulnerability databases and enriches every finding with real-world exploitation data. It tells you not only what is vulnerable, but what is most likely to be exploited and what is already under active attack.
What it detects
The scanner reads manifest and lockfiles from the repository and cross-references every dependency — direct and transitive — against vulnerability databases aggregating data from CVE, GitHub Security Advisories, and language-specific sources.
Each vulnerability includes the affected package, installed version, fixed version (when available), CVSS score, and severity classification (Critical, High, Medium, Low).
Findings are then enriched with exploitation probability scores and active exploitation intelligence, giving your team the context needed to prioritise remediation where it matters most.
Supported ecosystems
Detection is automatic based on the lockfiles present in the repository. Supported ecosystems include:
JavaScript / TypeScript
package-lock.json, yarn.lock, pnpm-lock.yaml
Python
requirements.txt, Pipfile.lock, poetry.lock, pyproject.toml
Java
pom.xml, build.gradle, gradle.lockfile
Go
go.mod, go.sum
Rust
Cargo.lock
Ruby
Gemfile.lock
PHP
composer.lock
C# / .NET
.csproj, packages.config, packages.lock.json
How it works
The scanner downloads the repository archive, extracts it, and runs a recursive scan against all manifest and lockfiles. Detected vulnerabilities are deduplicated and grouped by package.
Results are then passed to the enrichment service, which batch-queries the exploitation probability scores and active exploitation catalogue. Both data sources are refreshed every six hours and cached locally, so enrichment adds minimal latency to the overall scan.
When vulnerabilities are found, the scanner can optionally trigger automated remediation — generating pull requests that update affected dependencies to their fixed versions.