dep-scan: Fully open-source security audit for project dependencies
dep-scan is a fully open-source security audit tool for project dependencies based on known vulnerabilities, advisories, and licenses limitations. Both local repositories and container images are supported as input. The tool is ideal for CI environments with built-in build breaker logic.
- Local repos and container image-based scanning 
- Package vulnerability scanning is performed locally and is quite fast. No server is used!
- Configurable cache and sync functionality to manage local cache data
- Pre-installed and integrated with slscan
- Suggest optimal fix version by package group (See suggest mode)
- Perform deep packages risk audit (See risk audit)
-  Only application-related packages in container images are included in scanning. OS packages are not included yet.
Supported languages and package format
dep-scan uses cdxgen command internally to create a Software Bill-of-Materials (SBoM) file for the project. This is then used for performing the scans.
The following projects and package-dependency format is supported by cdxgen.
|node.js||package-lock.json, pnpm-lock.yaml, yarn.lock, rush.js|
|java||maven (pom.xml ), gradle (build.gradle, .kts), scala (sbt)|
|python||setup.py, requirements.txt , Pipfile.lock, poetry.lock, bdist_wheel|
|go||go.mod, go.sum, Gopkg.lock, binary|
|.Net Framework||.csproj, packages.config|
|.Net core||.csproj, packages.config|
|docker / oci image||All supported languages excluding OS packages|
The docker image for dep-scan currently doesn’t bundle suitable java and maven commands required for BOM generation. To work around this limitation, you can –
- Use python-based execution from a VM containing the correct versions for java, maven, and gradle.
- Generate the bom file by invoking the cdxgen command locally and subsequently passing this to dep-scan via the –bom argument.
Copyright (c) 2020 AppThreat