Dependency file scanner
Upload a dependency manifest or lockfile from nine package ecosystems. Depna extracts package names and versions, then checks them against vulnerability intelligence.
Upload a dependency file or lockfile and get a comprehensive vulnerability report in under 2 minutes — no source code access, no repo access, no OAuth, no install. Reports are audit-ready, aligned with ISO 27001 & SOC 2 Type II controls.
Use Depna as a dependency scanner without source code access: it scans dependency files and lockfiles, not your repository. Upload package-lock.json, requirements.txt, pom.xml, go.mod, or another supported manifest and get vulnerability results without OAuth, Git app installs, or source-code permissions.
Upload a dependency manifest or lockfile from nine package ecosystems. Depna extracts package names and versions, then checks them against vulnerability intelligence.
Lockfiles such as yarn.lock, poetry.lock, Cargo.lock, and packages.lock.json provide resolved versions, making transitive dependency findings clearer.
For Node.js projects, upload package-lock.json to scan exact npm package versions without granting repository access or sharing source code.
Teams that cannot connect third-party tools or Git apps to private repositories can use Depna’s upload-first workflow for fast security reports.
Manifest files identify direct dependencies; lockfiles give resolved versions for stronger direct and transitive vulnerability scanning.
Supports 9 ecosystems and common dependency lockfiles
No complex setup, no repo permissions, no source-code review. Upload a manifest or lockfile and scan.
Create an account and upload a manifest or lockfile — package-lock.json, requirements.txt, pom.xml, go.mod, or any supported format.
Depna analyzes every dependency against continuously updated CVE databases — no repository or source code access required. Upload a lockfile for direct and transitive coverage, or a manifest for direct dependencies.
Critical and high-severity vulnerabilities trigger immediate notifications to your configured channels.
Receive weekly and monthly AI-powered summaries with executive-ready insights — no technical background needed.
Built for engineering teams that need dependency vulnerability scanning without source code access, repo permissions, or complex tooling.
Upload only your dependency file. Depna never touches your source code, clones your repository, or requires repository permissions.
Not locked to any VCS platform. Works with every Git provider, self-hosted systems, and teams that cannot connect third-party Git apps.
Every dependency vulnerability is analyzed by AI and presented in three layers: technical detail, business impact, and executive summary.
Generate audit-ready reports aligned with ISO 27001 and SOC 2 Type II — optionally white-labeled with your own company logo.
Get alerted the moment a critical vulnerability is detected, through your team's preferred channels.
Plug into your existing pipeline with a single curl command. Auto-scan on every push.
Most tools check your dependencies the moment you ask. Depna keeps checking — your latest file is re-scanned every 2 hours against the newest advisories, so tomorrow's vulnerability reaches you without lifting a finger.
Most scanners stop at a list. Depna hands you a ready-to-use patched file and a full resolution trail your auditors can follow.
Least privilege, hardened integrations, and strict tenant isolation come standard — not as a paid add-on you have to remember to switch on.
Six built-in roles plus per-project membership decide exactly who can scan, resolve, report, or just observe.
Slack, Teams and Discord links are re-checked on every send — and the link itself stays a secret.
Every company's data is fully separated and enforced at the query level on every single request — never cross-tenant.
Most dependency scanners require repository access, Git OAuth, or a connected platform. Depna is different by design.
| Feature | Depna Recommended | Dependabot | Snyk | npm audit |
|---|---|---|---|---|
| Repo or source code access requiredSource code visibility needed | Not required | Required | Required | Local CLI |
| Platform independenceWorks with any VCS provider | All platforms | GitHub only | npm CLI only | |
| Executive summaryNon-technical stakeholder reports | Partial | |||
| ISO 27001 / SOC 2 PDFAudit-ready compliance reports | ||||
| White-label PDFsYour logo, zero vendor branding | ||||
| AI-powered analysisIntelligent vulnerability summaries | Partial | |||
| Continuous re-scanningAuto re-check against new advisories | Every 2h | Repo only | Manual | |
| Ready-to-use fixed fileDownload a patched dependency file | Via repo PRs | Partial | CLI only | |
| Resolution & risk workflowAccept, dismiss, assign & track findings | Partial | |||
| Role-based access controlGranular per-role team permissions | 6 roles | Basic | ||
| SLA & MTTR reportingRemediation KPIs in every report | Partial | |||
| Time to first scanUpload-only — no configuration | < 2 minutes | GitHub config | Complex | CLI tool |
| Multiple ecosystemsLanguages & package managers | JS only | |||
| Transitive (sub-dependency) scanningDetects vulnerabilities in nested dependencies | Lock file | |||
| Dashboard file uploadUpload dependency file via web UI | ||||
| CI/CD integrationPipeline automation |
Plug a dependency file scanner into your current workflow in minutes. No configuration changes to your repository.
Add a single step to your pipeline. Auto-scan every dependency file or lockfile change.
- name: Scan dependencies with Depna run: | curl -X POST https://depna.io/api/v1/ci/upload/ \ -H "Authorization: Token ${{ secrets.DEPNA_TOKEN }}" \ -F "[email protected]" \ -F "project_name=My Project"
Start free and scale as you grow. No hidden fees, no per-seat pricing surprises.
Perfect for individual developers exploring dependency security.
Ideal for small teams shipping products that care about security.
For teams preparing for compliance audits and enterprise security standards.
Everything in Pro, with unlimited projects for large-scale teams.
The 3-day free trial is available on the Pro plan only. No credit card required.
See the annual PDF report your team can share with security leadership, customers, and auditors. The sample shows dependency risk summaries, severity trends, SLA/MTTR metrics, and ISO 27001 / SOC 2 evidence mapping.
Depna is built with security-first principles. Your data is protected at every step — from upload to report delivery.
Depna is under active development. Every scan engine update, new ecosystem, and security fix is documented and shipped continuously.
View full changelogEverything developers and security teams ask before trying Depna — answered in plain language.
No credit card. No repo access. No OAuth. Just upload your dependency file or lockfile and get a full security report.