dependency-vulnerability-scanning

What problem does it solve?

It prevents unreviewed dependency and supply-chain changes from entering your build or runtime by enforcing a structured risk review across necessity, vulnerabilities, licenses, transitive impact, lockfile integrity, SBOM traceability, and maintainer health.

Core Features & Use Cases

• Necessity justification for every dependency change: requires written rationale for why the dependency is needed, what functionality it provides, and which code paths will actually use it.
• Full transitive vulnerability scanning: scans the entire lockfile tree (direct and transitive) and escalates CRITICAL/HIGH runtime CVEs unless reachability is documented.
• License compatibility verification: checks SPDX identifiers and compatibility with distribution obligations, including legal review triggers for GPL/AGPL-family licenses.
• Supply-chain health and install-script scrutiny: evaluates maintainer activity, security posture, install/postinstall hooks, and supply-chain integrity signals.
• Lockfile and SBOM correctness enforcement: ensures deterministic installs via frozen/fixed lockfiles and requires SBOM regeneration to maintain traceability.

Quick Start

Use this capability to review any dependency addition, upgrade, downgrade, removal, vendoring, lockfile change, or dependency-update PR by producing a documented risk report that covers vulnerabilities, licenses, transitive impact, lockfile integrity, and SBOM updates.