# DepGuard - Dependency Vulnerability Scanner (`george.the.developer/depguard-dependency-vulnerability-scanner`) Actor

Scan your dependencies for known vulnerabilities over OSV.dev and flag the ones CISA lists as actively exploited, so you patch the dangerous bugs first. Packages or a lockfile in, normalized vulnerability rows out. No API key, standby ready.

- **URL**: https://apify.com/george.the.developer/depguard-dependency-vulnerability-scanner.md
- **Developed by:** [George Kioko](https://apify.com/george.the.developer) (community)
- **Categories:** Developer tools
- **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet

## Pricing

Pay per usage

This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have.

Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage

## What's an Apify Actor?

Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".

## How to integrate an Actor?

If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.

In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):

```bash
npm install apify-client
```

In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):

```bash
pip install apify-client
```

In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):

````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash

In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).

If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).

For usage examples, see the [API](#api) section below.

For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).


# README

## DepGuard - Dependency Vulnerability Scanner

Scan your project dependencies for known vulnerabilities and find out which ones attackers are actually exploiting right now. DepGuard checks each package against the [OSV.dev](https://osv.dev) advisory database, then cross references every finding against the [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) catalog so you can fix the dangerous ones first. No API key, no sign up.

### What does DepGuard do?

Most scanners hand you a wall of vulnerabilities with no sense of priority. DepGuard adds the signal that matters: whether a vulnerability is on the CISA list of bugs being exploited in the wild. A medium severity bug that attackers are using beats a high severity one nobody has touched. DepGuard flags both so you patch in the right order.

### What data does it return?

- **package, version, ecosystem** - the dependency that was checked
- **vuln_id** - the OSV advisory id (GHSA, PYSEC, GO, etc.)
- **cves / aliases** - linked CVE identifiers
- **summary** - what the vulnerability is
- **severity / cvss_vector** - qualitative severity and the CVSS string when published
- **fixed_version** - the first version that resolves the issue
- **kev_exploited** - true when CISA lists it as actively exploited
- **kev_date_added, kev_due_date, kev_known_ransomware** - exploit context for prioritization
- **references** - advisory and patch links

### Use cases

1. **Pre deploy gate** - scan your lockfile in CI and block the build if any exploited (KEV) vulnerability is present.
2. **Agent security tool** - an AI coding agent calls DepGuard over MCP to check a dependency before adding it.
3. **Portfolio audit** - feed a list of packages across many repos and get one normalized vulnerability table.

### How to use

Three ways to provide input:

1. **A list of packages** - set `packages` to `[{"name":"lodash","version":"4.17.15","ecosystem":"npm"}]`.
2. **A lockfile** - paste the full contents of a `package-lock.json` or `requirements.txt` into `lockfile` and set `lockfileType`. Every pinned dependency is scanned.
3. **A single package** - set `name`, `version`, and `ecosystem` for a quick one off check.

Supported ecosystems include npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet, Packagist, and more (anything OSV indexes).

### Standby / API mode

DepGuard runs as an always on API. Example:

````

GET /scan?name=lodash\&version=4.17.15\&ecosystem=npm

````

Returns the same normalized vulnerability rows as a JSON response.

### Output example

```json
{
  "package": "lodash",
  "version": "4.17.15",
  "ecosystem": "npm",
  "vuln_id": "GHSA-p6mc-m468-83gw",
  "cves": ["CVE-2020-8203"],
  "summary": "Prototype pollution in lodash",
  "severity": "HIGH",
  "fixed_version": "4.17.20",
  "kev_exploited": false,
  "references": ["https://github.com/advisories/GHSA-p6mc-m468-83gw"]
}
````

### Pricing

Pay per event:

- **Actor start** - $0.25 per batch run
- **Package scanned** - $0.01 per dependency checked
- **Vulnerability found** - $0.02 per known vulnerability returned
- **Exploited vulnerability alert** - $0.05 per CISA actively exploited match

Clean packages cost only the per package scan fee, so a healthy project is cheap to verify.

### Data sources

OSV.dev (Google led, open vulnerability database) and the CISA Known Exploited Vulnerabilities catalog. Both are public and free. DepGuard normalizes them into one consistent shape.

### FAQ

**Does it need access to my private code?** No. You provide package names and versions, or a lockfile. No source code is read.

**How fresh is the data?** OSV and CISA KEV are queried live on every run.

**What if a package has no known vulnerabilities?** It is reported as clean and only the per package scan fee applies.

# Actor input Schema

## `packages` (type: `array`):

List of dependencies to scan, each as {"name":"lodash","version":"4.17.15","ecosystem":"npm"}. Version is optional. Ecosystem defaults to npm.

## `lockfile` (type: `string`):

Paste the full contents of a package-lock.json or requirements.txt to scan every pinned dependency. Overrides the packages list.

## `lockfileType` (type: `string`):

Format of the pasted lockfile.

## `name` (type: `string`):

Quick single lookup. Use instead of the packages list to scan one dependency.

## `version` (type: `string`):

Version for the single package lookup. Optional but recommended for precise matching.

## `ecosystem` (type: `string`):

Package ecosystem such as npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet.

## `limit` (type: `integer`):

Maximum dependencies to scan in one run.

## Actor input object example

```json
{
  "packages": [
    {
      "name": "lodash",
      "version": "4.17.15",
      "ecosystem": "npm"
    }
  ],
  "lockfileType": "package-lock.json",
  "ecosystem": "npm",
  "limit": 200
}
```

# API

You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.

## JavaScript example

```javascript
import { ApifyClient } from 'apify-client';

// Initialize the ApifyClient with your Apify API token
// Replace the '<YOUR_API_TOKEN>' with your token
const client = new ApifyClient({
    token: '<YOUR_API_TOKEN>',
});

// Prepare Actor input
const input = {
    "packages": [
        {
            "name": "lodash",
            "version": "4.17.15",
            "ecosystem": "npm"
        }
    ]
};

// Run the Actor and wait for it to finish
const run = await client.actor("george.the.developer/depguard-dependency-vulnerability-scanner").call(input);

// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.dir(item);
});

// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs

```

## Python example

```python
from apify_client import ApifyClient

# Initialize the ApifyClient with your Apify API token
# Replace '<YOUR_API_TOKEN>' with your token.
client = ApifyClient("<YOUR_API_TOKEN>")

# Prepare the Actor input
run_input = { "packages": [{
            "name": "lodash",
            "version": "4.17.15",
            "ecosystem": "npm",
        }] }

# Run the Actor and wait for it to finish
run = client.actor("george.the.developer/depguard-dependency-vulnerability-scanner").call(run_input=run_input)

# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start

```

## CLI example

```bash
echo '{
  "packages": [
    {
      "name": "lodash",
      "version": "4.17.15",
      "ecosystem": "npm"
    }
  ]
}' |
apify call george.the.developer/depguard-dependency-vulnerability-scanner --silent --output-dataset

```

## MCP server setup

```json
{
    "mcpServers": {
        "apify": {
            "command": "npx",
            "args": [
                "mcp-remote",
                "https://mcp.apify.com/?tools=george.the.developer/depguard-dependency-vulnerability-scanner",
                "--header",
                "Authorization: Bearer <YOUR_API_TOKEN>"
            ]
        }
    }
}

```

## OpenAPI specification

```json
{
    "openapi": "3.0.1",
    "info": {
        "title": "DepGuard - Dependency Vulnerability Scanner",
        "description": "Scan your dependencies for known vulnerabilities over OSV.dev and flag the ones CISA lists as actively exploited, so you patch the dangerous bugs first. Packages or a lockfile in, normalized vulnerability rows out. No API key, standby ready.",
        "version": "1.0",
        "x-build-id": "chhmeEg3ugV65Uyp6"
    },
    "servers": [
        {
            "url": "https://api.apify.com/v2"
        }
    ],
    "paths": {
        "/acts/george.the.developer~depguard-dependency-vulnerability-scanner/run-sync-get-dataset-items": {
            "post": {
                "operationId": "run-sync-get-dataset-items-george.the.developer-depguard-dependency-vulnerability-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        },
        "/acts/george.the.developer~depguard-dependency-vulnerability-scanner/runs": {
            "post": {
                "operationId": "runs-sync-george.the.developer-depguard-dependency-vulnerability-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor and returns information about the initiated run in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/runsResponseSchema"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/acts/george.the.developer~depguard-dependency-vulnerability-scanner/run-sync": {
            "post": {
                "operationId": "run-sync-george.the.developer-depguard-dependency-vulnerability-scanner",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        }
    },
    "components": {
        "schemas": {
            "inputSchema": {
                "type": "object",
                "properties": {
                    "packages": {
                        "title": "Packages",
                        "type": "array",
                        "description": "List of dependencies to scan, each as {\"name\":\"lodash\",\"version\":\"4.17.15\",\"ecosystem\":\"npm\"}. Version is optional. Ecosystem defaults to npm."
                    },
                    "lockfile": {
                        "title": "Lockfile contents",
                        "type": "string",
                        "description": "Paste the full contents of a package-lock.json or requirements.txt to scan every pinned dependency. Overrides the packages list."
                    },
                    "lockfileType": {
                        "title": "Lockfile type",
                        "enum": [
                            "package-lock.json",
                            "requirements.txt"
                        ],
                        "type": "string",
                        "description": "Format of the pasted lockfile.",
                        "default": "package-lock.json"
                    },
                    "name": {
                        "title": "Single package name",
                        "type": "string",
                        "description": "Quick single lookup. Use instead of the packages list to scan one dependency."
                    },
                    "version": {
                        "title": "Single package version",
                        "type": "string",
                        "description": "Version for the single package lookup. Optional but recommended for precise matching."
                    },
                    "ecosystem": {
                        "title": "Ecosystem",
                        "type": "string",
                        "description": "Package ecosystem such as npm, PyPI, Go, Maven, RubyGems, crates.io, NuGet.",
                        "default": "npm"
                    },
                    "limit": {
                        "title": "Limit",
                        "minimum": 1,
                        "maximum": 1000,
                        "type": "integer",
                        "description": "Maximum dependencies to scan in one run.",
                        "default": 200
                    }
                }
            },
            "runsResponseSchema": {
                "type": "object",
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "actId": {
                                "type": "string"
                            },
                            "userId": {
                                "type": "string"
                            },
                            "startedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "finishedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "status": {
                                "type": "string",
                                "example": "READY"
                            },
                            "meta": {
                                "type": "object",
                                "properties": {
                                    "origin": {
                                        "type": "string",
                                        "example": "API"
                                    },
                                    "userAgent": {
                                        "type": "string"
                                    }
                                }
                            },
                            "stats": {
                                "type": "object",
                                "properties": {
                                    "inputBodyLen": {
                                        "type": "integer",
                                        "example": 2000
                                    },
                                    "rebootCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "restartCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "resurrectCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "computeUnits": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "options": {
                                "type": "object",
                                "properties": {
                                    "build": {
                                        "type": "string",
                                        "example": "latest"
                                    },
                                    "timeoutSecs": {
                                        "type": "integer",
                                        "example": 300
                                    },
                                    "memoryMbytes": {
                                        "type": "integer",
                                        "example": 1024
                                    },
                                    "diskMbytes": {
                                        "type": "integer",
                                        "example": 2048
                                    }
                                }
                            },
                            "buildId": {
                                "type": "string"
                            },
                            "defaultKeyValueStoreId": {
                                "type": "string"
                            },
                            "defaultDatasetId": {
                                "type": "string"
                            },
                            "defaultRequestQueueId": {
                                "type": "string"
                            },
                            "buildNumber": {
                                "type": "string",
                                "example": "1.0.0"
                            },
                            "containerUrl": {
                                "type": "string"
                            },
                            "usage": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "integer",
                                        "example": 1
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "usageTotalUsd": {
                                "type": "number",
                                "example": 0.00005
                            },
                            "usageUsd": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "number",
                                        "example": 0.00005
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
```
