DepGuard - Dependency Vulnerability Scanner
Pricing
Pay per usage
DepGuard - Dependency Vulnerability Scanner
Scan your dependencies for known vulnerabilities over OSV.dev and flag the ones CISA lists as actively exploited, so you patch the dangerous bugs first. Packages or a lockfile in, normalized vulnerability rows out. No API key, standby ready.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
George Kioko
Maintained by CommunityActor stats
0
Bookmarked
1
Total users
0
Monthly active users
12 days ago
Last modified
Categories
Share
Scan your project dependencies for known vulnerabilities and find out which ones attackers are actually exploiting right now. DepGuard checks each package against the OSV.dev advisory database, then cross references every finding against the CISA Known Exploited Vulnerabilities catalog so you can fix the dangerous ones first. No API key, no sign up.
What does DepGuard do?
Most scanners hand you a wall of vulnerabilities with no sense of priority. DepGuard adds the signal that matters: whether a vulnerability is on the CISA list of bugs being exploited in the wild. A medium severity bug that attackers are using beats a high severity one nobody has touched. DepGuard flags both so you patch in the right order.
What data does it return?
- package, version, ecosystem - the dependency that was checked
- vuln_id - the OSV advisory id (GHSA, PYSEC, GO, etc.)
- cves / aliases - linked CVE identifiers
- summary - what the vulnerability is
- severity / cvss_vector - qualitative severity and the CVSS string when published
- fixed_version - the first version that resolves the issue
- kev_exploited - true when CISA lists it as actively exploited
- kev_date_added, kev_due_date, kev_known_ransomware - exploit context for prioritization
- references - advisory and patch links
Use cases
- Pre deploy gate - scan your lockfile in CI and block the build if any exploited (KEV) vulnerability is present.
- Agent security tool - an AI coding agent calls DepGuard over MCP to check a dependency before adding it.
- Portfolio audit - feed a list of packages across many repos and get one normalized vulnerability table.
How to use
Three ways to provide input:
- A list of packages - set
packagesto[{"name":"lodash","version":"4.17.15","ecosystem":"npm"}]. - A lockfile - paste the full contents of a
package-lock.jsonorrequirements.txtintolockfileand setlockfileType. Every pinned dependency is scanned. - A single package - set
name,version, andecosystemfor a quick one off check.
Supported ecosystems include npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet, Packagist, and more (anything OSV indexes).
Standby / API mode
DepGuard runs as an always on API. Example:
GET /scan?name=lodash&version=4.17.15&ecosystem=npm
Returns the same normalized vulnerability rows as a JSON response.
Output example
{"package": "lodash","version": "4.17.15","ecosystem": "npm","vuln_id": "GHSA-p6mc-m468-83gw","cves": ["CVE-2020-8203"],"summary": "Prototype pollution in lodash","severity": "HIGH","fixed_version": "4.17.20","kev_exploited": false,"references": ["https://github.com/advisories/GHSA-p6mc-m468-83gw"]}
Pricing
Pay per event:
- Actor start - $0.25 per batch run
- Package scanned - $0.01 per dependency checked
- Vulnerability found - $0.02 per known vulnerability returned
- Exploited vulnerability alert - $0.05 per CISA actively exploited match
Clean packages cost only the per package scan fee, so a healthy project is cheap to verify.
Data sources
OSV.dev (Google led, open vulnerability database) and the CISA Known Exploited Vulnerabilities catalog. Both are public and free. DepGuard normalizes them into one consistent shape.
FAQ
Does it need access to my private code? No. You provide package names and versions, or a lockfile. No source code is read.
How fresh is the data? OSV and CISA KEV are queried live on every run.
What if a package has no known vulnerabilities? It is reported as clean and only the per package scan fee applies.