Built for the dev tool ecosystem
Drop in a dependency file. Get answers.
This is the actual scanner. Files never leave the request — they go straight to the OSV.dev query and back.
Drag and drop a dependency file
or click anywhere here to browse
package.jsonyarn.lockpnpm-lock.yamlbun.lockpom.xmlbuild.gradlerequirements.txtPipfile.lockpoetry.lockpyproject.tomlcomposer.lockCargo.lockgo.sumGemfile.lock.csprojPackage.resolvedpubspec.lockmix.lockconanfile.txtBuilt for developers who don't want another security tool to babysit.
Every feature exists because we asked devs what they actually use, then deleted everything else.
No repo connection required
Drag a pom.xml, package.json, or requirements.txt onto the page. No OAuth, no GitHub permissions, no legal review.
Real-time CVE data
Powered by Google's OSV.dev — the same database GitHub Security uses. No stale local DB, no sync issues.
Multi-ecosystem from day one
One tool for Java, JavaScript, Python, PHP, Rust — and more on the way. Stop juggling five scanners.
API scanning without repo access
Scan from the dashboard or POST a manifest to /api/scan. Use API keys for CI without granting repository OAuth.
Fix guidance with exact versions
Find the vulnerable package, affected range, fixed versions, and advisory links without pretending to rewrite your repo.
Deployment-ready web app
The production stack runs on Next.js, Postgres, Redis, and nginx with Docker Compose for straightforward private deployments.
Trend tracking that proves ROI
"You had 23 vulns last month, now you have 4." A single health score per project.
CycloneDX SBOM export
Export saved project dependencies and vulnerabilities as CycloneDX 1.5 for inventory and review workflows.
Supply-chain risk signals
Cooldown periods, maintainer risk, and install-script detection are roadmap items; current scans focus on OSV-backed vulnerabilities.
One tool. Every package manager that matters.
Depvion treats all major ecosystems as first-class citizens — same UX, same speed, same depth.
npm
package.jsonMaven
pom.xmlPyPI
requirements.txtComposer
composer.lockCargo
Cargo.lockGo
go.sumSoonRubyGems
Gemfile.lockSoonNuGet
.csprojSoonAutomated scans. No repo token.
Create an API key and post a dependency manifest from CI, scripts, or internal tooling. The scanner does not need repository OAuth to return vulnerability results.
curl -X POST https://depvion.com/api/scan -F [email protected]POST /api/scan { filename, content }Authorization: Bearer dp_live_...- Multipart and JSON request support
- API keys for CI and internal tools
- Dashboard history for saved projects
- CycloneDX SBOM export from saved dependencies
$ curl -s https://depvion.com/api/scan -F [email protected] 🛡️ Depvion Scan ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Project: my-app Dependencies: 47 total Score: 62 / 100 (was 45 last scan) 🔴 CRITICAL (2) ┌────────────────────────────────────────┐ │ [email protected] │ │ CVE-2021-23337 Command Injection │ │ → npm install [email protected] │ ├────────────────────────────────────────┤ │ [email protected] │ │ CVE-2021-3749 ReDoS │ │ → npm install [email protected] │ └────────────────────────────────────────┘ 🟡 HIGH (3) 🟢 MEDIUM (7) ⚪ LOW (1)
Honest comparison. No marketing massage.
Every other tool here is a great product. Here's where we structurally differ.
| Capability | Depvion | Snyk | Dependabot | Socket | Aikido |
|---|---|---|---|---|---|
| No repo connection required | optional | ||||
| Real free tier (no card, no demo) | limited | 1k/mo | |||
| Flat pricing (not per-dev) | |||||
| Private deployment | Docker | limited | |||
| API key scanning | |||||
| EU CRA compliance reports | soon | ||||
| Multi-ecosystem | 5 → 10 | 13 | 25 | JS-heavy | 12 |
Things devs actually ask us.
No. Depvion's wedge is exactly that you don't have to. Drag a dependency file onto the page and we'll scan it. If you want continuous monitoring, you can save the scan to your account — still no repo OAuth required.