DepGuard - Dependency Vulnerability Scanner avatar

DepGuard - Dependency Vulnerability Scanner

Pricing

Pay per usage

Go to Apify Store
DepGuard - Dependency Vulnerability Scanner

DepGuard - Dependency Vulnerability Scanner

Scan your dependencies for known vulnerabilities over OSV.dev and flag the ones CISA lists as actively exploited, so you patch the dangerous bugs first. Packages or a lockfile in, normalized vulnerability rows out. No API key, standby ready.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

George Kioko

George Kioko

Maintained by Community

Actor stats

0

Bookmarked

1

Total users

0

Monthly active users

12 days ago

Last modified

Categories

Share

Scan your project dependencies for known vulnerabilities and find out which ones attackers are actually exploiting right now. DepGuard checks each package against the OSV.dev advisory database, then cross references every finding against the CISA Known Exploited Vulnerabilities catalog so you can fix the dangerous ones first. No API key, no sign up.

What does DepGuard do?

Most scanners hand you a wall of vulnerabilities with no sense of priority. DepGuard adds the signal that matters: whether a vulnerability is on the CISA list of bugs being exploited in the wild. A medium severity bug that attackers are using beats a high severity one nobody has touched. DepGuard flags both so you patch in the right order.

What data does it return?

  • package, version, ecosystem - the dependency that was checked
  • vuln_id - the OSV advisory id (GHSA, PYSEC, GO, etc.)
  • cves / aliases - linked CVE identifiers
  • summary - what the vulnerability is
  • severity / cvss_vector - qualitative severity and the CVSS string when published
  • fixed_version - the first version that resolves the issue
  • kev_exploited - true when CISA lists it as actively exploited
  • kev_date_added, kev_due_date, kev_known_ransomware - exploit context for prioritization
  • references - advisory and patch links

Use cases

  1. Pre deploy gate - scan your lockfile in CI and block the build if any exploited (KEV) vulnerability is present.
  2. Agent security tool - an AI coding agent calls DepGuard over MCP to check a dependency before adding it.
  3. Portfolio audit - feed a list of packages across many repos and get one normalized vulnerability table.

How to use

Three ways to provide input:

  1. A list of packages - set packages to [{"name":"lodash","version":"4.17.15","ecosystem":"npm"}].
  2. A lockfile - paste the full contents of a package-lock.json or requirements.txt into lockfile and set lockfileType. Every pinned dependency is scanned.
  3. A single package - set name, version, and ecosystem for a quick one off check.

Supported ecosystems include npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet, Packagist, and more (anything OSV indexes).

Standby / API mode

DepGuard runs as an always on API. Example:

GET /scan?name=lodash&version=4.17.15&ecosystem=npm

Returns the same normalized vulnerability rows as a JSON response.

Output example

{
"package": "lodash",
"version": "4.17.15",
"ecosystem": "npm",
"vuln_id": "GHSA-p6mc-m468-83gw",
"cves": ["CVE-2020-8203"],
"summary": "Prototype pollution in lodash",
"severity": "HIGH",
"fixed_version": "4.17.20",
"kev_exploited": false,
"references": ["https://github.com/advisories/GHSA-p6mc-m468-83gw"]
}

Pricing

Pay per event:

  • Actor start - $0.25 per batch run
  • Package scanned - $0.01 per dependency checked
  • Vulnerability found - $0.02 per known vulnerability returned
  • Exploited vulnerability alert - $0.05 per CISA actively exploited match

Clean packages cost only the per package scan fee, so a healthy project is cheap to verify.

Data sources

OSV.dev (Google led, open vulnerability database) and the CISA Known Exploited Vulnerabilities catalog. Both are public and free. DepGuard normalizes them into one consistent shape.

FAQ

Does it need access to my private code? No. You provide package names and versions, or a lockfile. No source code is read.

How fresh is the data? OSV and CISA KEV are queried live on every run.

What if a package has no known vulnerabilities? It is reported as clean and only the per package scan fee applies.