Lockfile-first scanner for compromised npm/PyPI/Maven/Cargo/Go/RubyGems packages — OSV + curated extras feed, SLSA L3, locked-container CI

🛡️ Blazing fast Supply Chain Security tool written in Rust. Features ephemeral sandboxing, hybrid analysis (CVE + Heuristics), and entropy-based malware detection.

Real-time npm/PyPI supply-chain threat detection. Behavioral chain analysis, AST scanning, IOC feeds, and compound scoring engine.

GuOx: Ultimate enterprise‑grade, AI & WASM‑powered Express security framework.

Open-source local dependency and vulnerability scanner for Java (Maven/Gradle) and JavaScript (npm) projects.

Supply-chain security CLI for npm/bun/yarn/pnpm — install gate + lockfile snapshots + AST risk scoring

Paste your manifest. Get back the fixed files. Free browser-based dependency security fixer — npm, PyPI, Ruby, PHP. No login. No CLI.

AI-powered open source license compliance scanner. Analyzes how dependencies are actually used — not just what license they have — to determine if obligations trigger for your distribution model. Multi-agent AI pipeline, MCP server for Claude Code integration, and structured output for AI assistants. Zero API keys needed for local use.

Cross-ecosystem dependency security scanner. Detects the axios RAT supply chain attack and similar threats. 4-layer detection: AST analysis, behavioral fingerprinting, dep graph profiling, registry metadata. Scans npm/PyPI/Cargo/Brew. Zero dependencies.

Multi-ecosystem SBOM scanner with interactive HTML report, dependency tree, and CVE scanning. Supports npm, PyPI, Dart, Maven/Gradle, Rust/Cargo.

Ubel is a fast, cross‑ecosystem security engine that resolves dependencies, generates PURLs, scans them through OSV.dev, and enforces security policies during installation to prevent supply-chain attacks. It works with: PyPI (via ubel-pip), npm (via ubel-npm),and Linux distributions (Ubuntu-based, Debian-based, RHEL, AlmaLinux).

Offline supply chain security scanner. Detects malicious packages, typosquatting, compromised dependencies, and unsafe CI configurations across npm, pip, Cargo, NuGet, and Maven. Zero dependencies. AI/MCP-ready.

Detect dependency confusion attack vectors in Node.js projects

Open-source CLI and GitHub Action that scans npm dependencies for malicious code via the Manticore behavioral-analysis service

Open Source Dependency License Auditor — Multi-agent GenAI system for automated license compliance analysis

CLI for depscope.dev — audit deps before install

Predictive dependency security engine. Trust Scores for npm/Python packages. Detects zombies, typosquats, and supply chain risks before they become CVEs.

Catch supply chain attacks before npm install finishes

Git Seer is a powerful CLI tool that provides instant insights into any public GitHub repository.

Multi-validator dependency security with Byzantine consensus