Getting Started / Quick Start
Quick Start
1
Create an account
Sign up at deptic.in using your GitHub account. Deptic uses GitHub OAuth to authenticate and access repository manifests.
Deptic requires the following GitHub permissions:
repo— read access to repository contents (manifest files only)admin:repo_hook— register webhooks for auto-scan (optional)
2
Scan a repository
Navigate to Projects → Initiate Scan. Enter any public or private GitHub repository URL:
https://github.com/your-org/your-repoDeptic automatically detects all manifest files across the repository tree. No configuration required.
3
Review results
Once the scan completes (typically 30–120 seconds depending on project size), you will see:
- Inventory size: total components including transitive dependencies
- Active threats: number of components with known CVEs
- NTIA compliance score: 0–100 based on the 7 minimum elements
- Severity breakdown: Critical / High / Medium / Low CVE counts
4
Export your SBOM
Download a signed SBOM in CycloneDX 1.5 or SPDX 2.3 format from the Bill of Materials tab. Both formats are accepted by US federal agencies and EU procurement systems.
CycloneDX JSON files are SHA-256 signed and include a timestamp, author, and component PURLs — all 7 NTIA minimum elements.
5
Fix vulnerabilities
Click Fix All with PR in the Vulnerabilities tab. Deptic:
- Queries OSV.dev for ALL affected versions of each vulnerable package
- Finds the latest version with ZERO known CVEs
- Creates a branch and opens a GitHub Pull Request with the version bumps
- Verifies the chosen versions against OSV before creating the PR