Gain complete visibility into dependencies, vulnerabilities, and compliance risks.
Paste any repository URL
Deptic fetches every manifest file across the entire repository tree — recursively, automatically.
Full dependency resolution
Every package — direct and transitive — resolved across npm, pip, Maven, Go, and more. 1,247 components in seconds.
CVE detection per component
Each component matched against NVD and OSV.dev. Critical vulnerabilities flagged with exact patched versions.
Compliance report generated
NTIA EO14028 and EU CRA compliance score. CycloneDX 1.5 and SPDX 2.3 export. One click.
$ deptic-scan
› Fetching file tree... 2,847 files indexed
› Found package.json
› Found pom.xml
› Found go.mod
› Indexing_
1,247
components resolved
Everything compliance requires. Nothing it doesn't.
Real-time CVE detection
Every component matched against NVD and OSV.dev. Critical vulnerabilities flagged instantly with exact patched versions.
NTIA Compliance
7/7- Component name
- Version string
- Unique identifier
- Dependency relationship
- Author of component
- Timestamp
- Hash of component
Export formats
Fix with PR
- "log4j-core": "2.14.1"
+ "log4j-core": "2.17.1"
- "lodash": "4.17.20"
+ "lodash": "4.17.21"
4 ecosystems
Workspace
0
repositories monitored
Connect
Paste a URL or run deptic-scan
Point Deptic at any public or private repository. No setup, no agents, no config files.
Detect
Every manifest found automatically
package.json, pom.xml, go.mod, requirements.txt — discovered recursively across the entire tree.
backend/
├─ package.json ✓
├─ src/
├─ pom.xml ✓
└─ go.mod ✓
Analyze
Full dependency tree resolved
Direct and transitive dependencies resolved and graphed. 1,247 components in seconds.
Report
Compliance report in seconds
Compliance score, CVE summary, and exportable SBOM — ready to share or download.
100
compliance score
3
CVEs patched
Before Deptic. After Deptic.
⚠ CVE-2021-44228 unresolved
⚠ CVE-2024-22262 unresolved
manual_tracking.xlsx — 4 days old
visibility: 0%
Manual vulnerability tracking
Spreadsheets, stale data, and zero visibility into transitive dependencies.
Automated CVE detection
Every component continuously matched against NVD and OSV.dev.
Zero CVEs shipped
Clean builds, signed SBOMs, and a 100/100 compliance score every release.
- Multi-ecosystem scanning
- Fix with PR
- NTIA Compliance
- Vendor Sharing
- Auto-scan on push
1 / 5 — Multi-ecosystem scanning
Multi-ecosystem scanning
Detect manifests across npm, pip, Maven, and Go simultaneously — one unified scan.
Fix with PR
Generate a pull request that patches every vulnerable dependency to a safe version.
NTIA Compliance
Automatically validate all seven NTIA minimum elements and produce a score.
Vendor Sharing
Share a read-only report link with vendors — no login required.
Auto-scan on push
Connect a webhook so every push triggers a fresh scan and notification.
Built for developers
One API call. Full SBOM analysis. Download reports programmatically.
Single-use API keys
Disposable keys — one scan per key for maximum security.
Scan local or remote
Point at a GitHub URL or a local directory. Same API.
Download PDF + CycloneDX + SPDX
Every export format included with every scan.
|Simple pricing
Start free. Pay when you scale.
Free
For individuals getting started.
- 5 scans / month
- 1 ecosystem
- CVE detection
- CycloneDX export
Enterprise
For organizations at scale.
- Everything in Pro
- SSO + RBAC
- Auto-scan on push
- Vendor sharing
- Priority support
Trusted by security-first teams
“Deptic caught a critical transitive CVE our previous scanner missed entirely. Shipped a fix in minutes.”
Sarah Chen
Staff Engineer, Lattice
“The NTIA compliance score alone saved us a week of manual audit work before our SOC 2.”
Marcus Webb
Head of Security, Northwind
“Multi-ecosystem scanning in one pass. Our monorepo spans npm, Go, and Python — finally one tool.”
Priya Nair
Platform Lead, Cobalt
“Fix-with-PR is magic. It opened a clean diff patching four dependencies. We just clicked merge.”
Diego Alvarez
Senior SRE, Helios
“Vendor sharing with no login meant our customers could verify our SBOM without friction.”
Emma Larsson
VP Engineering, Veridian
“Auto-scan on push gives us continuous assurance. Every deploy is verified against the latest CVEs.”
Tom Okafor
DevOps Manager, Apex
“We replaced three separate tools with Deptic. One dashboard, all ecosystems, zero blind spots.”
Anika Patel
CTO, StackLayer
“The PDF report export made our compliance reviews painless. Auditors love the format.”
James Thornton
Compliance Officer, Finsecure
“Deptic found 23 vulnerable transitive deps we had no idea existed. That alone justified the switch.”
Yuki Tanaka
Security Architect, Kaizen
“Setup took five minutes. First scan surfaced a log4j variant hiding three layers deep in our graph.”
Rachel Gomez
Engineering Manager, Cloudrift
“The CycloneDX and SPDX exports saved us from building custom tooling. Standards out of the box.”
Oliver Brandt
Lead Developer, Neovault
“Our CI pipeline now gates on Deptic scores. No build ships with unresolved critical CVEs anymore.”
Fatima Al-Rashid
Principal Engineer, Orion
“Deptic gives us peace of mind. We know exactly what is in our software at all times.”
David Chen
Security Analyst, Sentinel
“The integration with GitHub Actions was flawless. We were up and running in minutes.”
Elena Rodriguez
DevOps Engineer, CloudNative
“I love how it prioritizes vulnerabilities based on actual exploitability. Less noise, more action.”
Michael Chang
AppSec Manager, FinTech Solutions
“Generating SBOMs used to take days. Now it is completely automated with every release.”
Jessica Lee
Release Manager, GlobalSoft
“The visual dependency graph helped us identify and remove several redundant libraries.”
Brian Smith
Senior Developer, WebWorks
“Deptic is the first tool that our developers actually enjoy using. It is fast and intuitive.”
Amanda Taylor
VP Engineering, Innovate
“We caught a malicious package update before it even hit our staging environment.”
Kevin Davis
SecOps Lead, DefendTech
“The reporting features are top-notch. It makes communicating risk to the board much easier.”
Laura Martinez
CISO, EnterpriseCorp
“I highly recommend Deptic to any team serious about securing their supply chain.”
Steven Wilson
Security Consultant, Independent
“It found vulnerabilities that other popular commercial scanners missed completely.”
Samantha Brown
Cybersecurity Researcher, InfoSec Labs
“The automated PR feature is a game-changer. It literally does the work for us.”
Christopher Jones
Lead Architect, BuildFast
“Deptic helps us maintain compliance with the latest industry regulations effortlessly.”
Ashley Garcia
Compliance Director, SecureHealth
“The support team is incredibly responsive and helpful. They really listen to feedback.”
Matthew Miller
IT Manager, TechCorp
“A must-have tool for modern software development. I would not build without it.”
Emily Anderson
Full Stack Developer, StartupInc
“It gives us a clear picture of our technical debt and where we need to focus our efforts.”
Joshua Thomas
Engineering Director, ScaleUp
“The zero-configuration setup is brilliant. It just works right out of the box.”
Olivia Jackson
Systems Administrator, CloudSys
“Deptic has significantly reduced the time we spend managing open-source dependencies.”
Andrew White
Software Engineer, DataDrive
“The insights provided by Deptic have helped us make better architectural decisions.”
Megan Harris
Principal Architect, NextGen
“It is simply the best SBOM and dependency scanning tool on the market today.”
Daniel Martin
CTO, TechVision
“Deptic caught a critical transitive CVE our previous scanner missed entirely. Shipped a fix in minutes.”
Sarah Chen
Staff Engineer, Lattice
“The NTIA compliance score alone saved us a week of manual audit work before our SOC 2.”
Marcus Webb
Head of Security, Northwind
“Multi-ecosystem scanning in one pass. Our monorepo spans npm, Go, and Python — finally one tool.”
Priya Nair
Platform Lead, Cobalt
“Fix-with-PR is magic. It opened a clean diff patching four dependencies. We just clicked merge.”
Diego Alvarez
Senior SRE, Helios
“Vendor sharing with no login meant our customers could verify our SBOM without friction.”
Emma Larsson
VP Engineering, Veridian
“Auto-scan on push gives us continuous assurance. Every deploy is verified against the latest CVEs.”
Tom Okafor
DevOps Manager, Apex
“We replaced three separate tools with Deptic. One dashboard, all ecosystems, zero blind spots.”
Anika Patel
CTO, StackLayer
“The PDF report export made our compliance reviews painless. Auditors love the format.”
James Thornton
Compliance Officer, Finsecure
“Deptic found 23 vulnerable transitive deps we had no idea existed. That alone justified the switch.”
Yuki Tanaka
Security Architect, Kaizen
“Setup took five minutes. First scan surfaced a log4j variant hiding three layers deep in our graph.”
Rachel Gomez
Engineering Manager, Cloudrift
“The CycloneDX and SPDX exports saved us from building custom tooling. Standards out of the box.”
Oliver Brandt
Lead Developer, Neovault
“Our CI pipeline now gates on Deptic scores. No build ships with unresolved critical CVEs anymore.”
Fatima Al-Rashid
Principal Engineer, Orion
“Deptic gives us peace of mind. We know exactly what is in our software at all times.”
David Chen
Security Analyst, Sentinel
“The integration with GitHub Actions was flawless. We were up and running in minutes.”
Elena Rodriguez
DevOps Engineer, CloudNative
“I love how it prioritizes vulnerabilities based on actual exploitability. Less noise, more action.”
Michael Chang
AppSec Manager, FinTech Solutions
“Generating SBOMs used to take days. Now it is completely automated with every release.”
Jessica Lee
Release Manager, GlobalSoft
“The visual dependency graph helped us identify and remove several redundant libraries.”
Brian Smith
Senior Developer, WebWorks
“Deptic is the first tool that our developers actually enjoy using. It is fast and intuitive.”
Amanda Taylor
VP Engineering, Innovate
“We caught a malicious package update before it even hit our staging environment.”
Kevin Davis
SecOps Lead, DefendTech
“The reporting features are top-notch. It makes communicating risk to the board much easier.”
Laura Martinez
CISO, EnterpriseCorp
“I highly recommend Deptic to any team serious about securing their supply chain.”
Steven Wilson
Security Consultant, Independent
“It found vulnerabilities that other popular commercial scanners missed completely.”
Samantha Brown
Cybersecurity Researcher, InfoSec Labs
“The automated PR feature is a game-changer. It literally does the work for us.”
Christopher Jones
Lead Architect, BuildFast
“Deptic helps us maintain compliance with the latest industry regulations effortlessly.”
Ashley Garcia
Compliance Director, SecureHealth
“The support team is incredibly responsive and helpful. They really listen to feedback.”
Matthew Miller
IT Manager, TechCorp
“A must-have tool for modern software development. I would not build without it.”
Emily Anderson
Full Stack Developer, StartupInc
“It gives us a clear picture of our technical debt and where we need to focus our efforts.”
Joshua Thomas
Engineering Director, ScaleUp
“The zero-configuration setup is brilliant. It just works right out of the box.”
Olivia Jackson
Systems Administrator, CloudSys
“Deptic has significantly reduced the time we spend managing open-source dependencies.”
Andrew White
Software Engineer, DataDrive
“The insights provided by Deptic have helped us make better architectural decisions.”
Megan Harris
Principal Architect, NextGen
“It is simply the best SBOM and dependency scanning tool on the market today.”
Daniel Martin
CTO, TechVision
“Deptic caught a critical transitive CVE our previous scanner missed entirely. Shipped a fix in minutes.”
Sarah Chen
Staff Engineer, Lattice
“The NTIA compliance score alone saved us a week of manual audit work before our SOC 2.”
Marcus Webb
Head of Security, Northwind
“Multi-ecosystem scanning in one pass. Our monorepo spans npm, Go, and Python — finally one tool.”
Priya Nair
Platform Lead, Cobalt
“Fix-with-PR is magic. It opened a clean diff patching four dependencies. We just clicked merge.”
Diego Alvarez
Senior SRE, Helios
“Vendor sharing with no login meant our customers could verify our SBOM without friction.”
Emma Larsson
VP Engineering, Veridian
“Auto-scan on push gives us continuous assurance. Every deploy is verified against the latest CVEs.”
Tom Okafor
DevOps Manager, Apex
“We replaced three separate tools with Deptic. One dashboard, all ecosystems, zero blind spots.”
Anika Patel
CTO, StackLayer
“The PDF report export made our compliance reviews painless. Auditors love the format.”
James Thornton
Compliance Officer, Finsecure
“Deptic found 23 vulnerable transitive deps we had no idea existed. That alone justified the switch.”
Yuki Tanaka
Security Architect, Kaizen
“Setup took five minutes. First scan surfaced a log4j variant hiding three layers deep in our graph.”
Rachel Gomez
Engineering Manager, Cloudrift
“The CycloneDX and SPDX exports saved us from building custom tooling. Standards out of the box.”
Oliver Brandt
Lead Developer, Neovault
“Our CI pipeline now gates on Deptic scores. No build ships with unresolved critical CVEs anymore.”
Fatima Al-Rashid
Principal Engineer, Orion
“Deptic gives us peace of mind. We know exactly what is in our software at all times.”
David Chen
Security Analyst, Sentinel
“The integration with GitHub Actions was flawless. We were up and running in minutes.”
Elena Rodriguez
DevOps Engineer, CloudNative
“I love how it prioritizes vulnerabilities based on actual exploitability. Less noise, more action.”
Michael Chang
AppSec Manager, FinTech Solutions
“Generating SBOMs used to take days. Now it is completely automated with every release.”
Jessica Lee
Release Manager, GlobalSoft
“The visual dependency graph helped us identify and remove several redundant libraries.”
Brian Smith
Senior Developer, WebWorks
“Deptic is the first tool that our developers actually enjoy using. It is fast and intuitive.”
Amanda Taylor
VP Engineering, Innovate
“We caught a malicious package update before it even hit our staging environment.”
Kevin Davis
SecOps Lead, DefendTech
“The reporting features are top-notch. It makes communicating risk to the board much easier.”
Laura Martinez
CISO, EnterpriseCorp
“I highly recommend Deptic to any team serious about securing their supply chain.”
Steven Wilson
Security Consultant, Independent
“It found vulnerabilities that other popular commercial scanners missed completely.”
Samantha Brown
Cybersecurity Researcher, InfoSec Labs
“The automated PR feature is a game-changer. It literally does the work for us.”
Christopher Jones
Lead Architect, BuildFast
“Deptic helps us maintain compliance with the latest industry regulations effortlessly.”
Ashley Garcia
Compliance Director, SecureHealth
“The support team is incredibly responsive and helpful. They really listen to feedback.”
Matthew Miller
IT Manager, TechCorp
“A must-have tool for modern software development. I would not build without it.”
Emily Anderson
Full Stack Developer, StartupInc
“It gives us a clear picture of our technical debt and where we need to focus our efforts.”
Joshua Thomas
Engineering Director, ScaleUp
“The zero-configuration setup is brilliant. It just works right out of the box.”
Olivia Jackson
Systems Administrator, CloudSys
“Deptic has significantly reduced the time we spend managing open-source dependencies.”
Andrew White
Software Engineer, DataDrive
“The insights provided by Deptic have helped us make better architectural decisions.”
Megan Harris
Principal Architect, NextGen
“It is simply the best SBOM and dependency scanning tool on the market today.”
Daniel Martin
CTO, TechVision
“Deptic caught a critical transitive CVE our previous scanner missed entirely. Shipped a fix in minutes.”
Sarah Chen
Staff Engineer, Lattice
“The NTIA compliance score alone saved us a week of manual audit work before our SOC 2.”
Marcus Webb
Head of Security, Northwind
“Multi-ecosystem scanning in one pass. Our monorepo spans npm, Go, and Python — finally one tool.”
Priya Nair
Platform Lead, Cobalt
“Fix-with-PR is magic. It opened a clean diff patching four dependencies. We just clicked merge.”
Diego Alvarez
Senior SRE, Helios
“Vendor sharing with no login meant our customers could verify our SBOM without friction.”
Emma Larsson
VP Engineering, Veridian
“Auto-scan on push gives us continuous assurance. Every deploy is verified against the latest CVEs.”
Tom Okafor
DevOps Manager, Apex
“We replaced three separate tools with Deptic. One dashboard, all ecosystems, zero blind spots.”
Anika Patel
CTO, StackLayer
“The PDF report export made our compliance reviews painless. Auditors love the format.”
James Thornton
Compliance Officer, Finsecure
“Deptic found 23 vulnerable transitive deps we had no idea existed. That alone justified the switch.”
Yuki Tanaka
Security Architect, Kaizen
“Setup took five minutes. First scan surfaced a log4j variant hiding three layers deep in our graph.”
Rachel Gomez
Engineering Manager, Cloudrift
“The CycloneDX and SPDX exports saved us from building custom tooling. Standards out of the box.”
Oliver Brandt
Lead Developer, Neovault
“Our CI pipeline now gates on Deptic scores. No build ships with unresolved critical CVEs anymore.”
Fatima Al-Rashid
Principal Engineer, Orion
“Deptic gives us peace of mind. We know exactly what is in our software at all times.”
David Chen
Security Analyst, Sentinel
“The integration with GitHub Actions was flawless. We were up and running in minutes.”
Elena Rodriguez
DevOps Engineer, CloudNative
“I love how it prioritizes vulnerabilities based on actual exploitability. Less noise, more action.”
Michael Chang
AppSec Manager, FinTech Solutions
“Generating SBOMs used to take days. Now it is completely automated with every release.”
Jessica Lee
Release Manager, GlobalSoft
“The visual dependency graph helped us identify and remove several redundant libraries.”
Brian Smith
Senior Developer, WebWorks
“Deptic is the first tool that our developers actually enjoy using. It is fast and intuitive.”
Amanda Taylor
VP Engineering, Innovate
“We caught a malicious package update before it even hit our staging environment.”
Kevin Davis
SecOps Lead, DefendTech
“The reporting features are top-notch. It makes communicating risk to the board much easier.”
Laura Martinez
CISO, EnterpriseCorp
“I highly recommend Deptic to any team serious about securing their supply chain.”
Steven Wilson
Security Consultant, Independent
“It found vulnerabilities that other popular commercial scanners missed completely.”
Samantha Brown
Cybersecurity Researcher, InfoSec Labs
“The automated PR feature is a game-changer. It literally does the work for us.”
Christopher Jones
Lead Architect, BuildFast
“Deptic helps us maintain compliance with the latest industry regulations effortlessly.”
Ashley Garcia
Compliance Director, SecureHealth
“The support team is incredibly responsive and helpful. They really listen to feedback.”
Matthew Miller
IT Manager, TechCorp
“A must-have tool for modern software development. I would not build without it.”
Emily Anderson
Full Stack Developer, StartupInc
“It gives us a clear picture of our technical debt and where we need to focus our efforts.”
Joshua Thomas
Engineering Director, ScaleUp
“The zero-configuration setup is brilliant. It just works right out of the box.”
Olivia Jackson
Systems Administrator, CloudSys
“Deptic has significantly reduced the time we spend managing open-source dependencies.”
Andrew White
Software Engineer, DataDrive
“The insights provided by Deptic have helped us make better architectural decisions.”
Megan Harris
Principal Architect, NextGen
“It is simply the best SBOM and dependency scanning tool on the market today.”
Daniel Martin
CTO, TechVision
Know exactly what's inside your software
Free to start. No credit card required.
Start scanning — deptic.innpm · pip · Maven · Go