How Deptic Works
Deptic is built on a simple premise: full visibility without code execution. Unlike traditional SCA tools that require you to run npm install or build your project, Deptic analyzes your repository statically and constructs the dependency tree exactly as the package manager would.
The Scanning Pipeline:
Discovery
Deptic scans your repository tree to find all supported manifest files (e.g., package.json, requirements.txt, pom.xml). It intentionally skips noise directories like node_modules or target.
Parsing
Manifests are parsed to extract direct dependencies. Deptic supports multiple lockfile formats to ensure versions are mapped accurately.
Transitive Resolution
For each direct dependency, Deptic queries the upstream registry (npm, PyPI, Maven Central, etc.) to fetch its metadata and dependencies. This process is applied recursively to construct the full graph.
Vulnerability Matching
The completed inventory is batched and sent to OSV.dev and NVD to identify known vulnerabilities across all components, including deeply nested transitive dependencies.
Report Generation
Finally, Deptic calculates compliance scores and generates CycloneDX/SPDX SBOMs and PDF reports, available for download or via API.
Zero-execution guarantee
Because Deptic does not execute any build commands or run package installation scripts (like postinstall), your CI/CD pipelines are inherently safe from malicious dependency execution during the scanning phase.