What Depenemy detects
- Supply Chain Risks: Detects install scripts running at install time, archived/deleted repos, dependency confusion attacks, and packages with a history of malicious activity.
- Reputation Signals: Flags young author accounts, new or freshly-published packages, suspiciously low download counts, and typosquatting candidates.
- Behavioral Issues: Catches unpinned versions, range specifiers that allow unexpected updates, missing lockfiles, and versions lagging significantly behind latest.
- Multi-Ecosystem: Supports npm / Node.js, Python (requirements.txt, pyproject.toml, Pipfile), Rust (Cargo.toml), and Solidity (Foundry / Hardhat).
- SARIF & CI Output: Native SARIF 2.1.0 output uploads directly to the GitHub Security tab. JSON and table formats available for custom integrations and CI logs.
- GitHub Action: Drop-in depenemy-action for CI/CD pipelines. Scans on every push and pull request, surfaces findings as Code Scanning alerts in your Security tab.
Architecture
How Depenemy scans dependencies and surfaces findings in CI.
Add to your CI in 5 lines
Drop this workflow into your repo to block unsafe dependencies before they merge. Results surface as Code Scanning alerts in your GitHub Security tab automatically.
Get it on GitHub Marketplace →name: Depenemy scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: W3OSC/depenemy-action@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
fail-on: error