AI-Powered Security Reports — Now Available

Dependency Scanner
Without Code or Repo Access

Upload a dependency file or lockfile and get a comprehensive vulnerability report in under 2 minutes — no source code access, no repo access, no OAuth, no install. Reports are audit-ready, aligned with ISO 27001 & SOC 2 Type II controls.

< 2 minScan Time
8Ecosystems
ISO 27001Audit-Ready
SOC 2Audit-Ready
No Code Access Scanning

Dependency scanner without
source code access

Use Depna as a dependency scanner without source code access: it scans dependency files and lockfiles, not your repository. Upload package-lock.json, requirements.txt, pom.xml, go.mod, or another supported manifest and get vulnerability results without OAuth, Git app installs, or source-code permissions.

Dependency file scanner

Upload a dependency manifest or lockfile from nine package ecosystems. Depna extracts package names and versions, then checks them against vulnerability intelligence.

Lockfile vulnerability scanner

Lockfiles such as yarn.lock, poetry.lock, Cargo.lock, and packages.lock.json provide resolved versions, making transitive dependency findings clearer.

package-lock.json vulnerability scanner

For Node.js projects, upload package-lock.json to scan exact npm package versions without granting repository access or sharing source code.

No repo access scanning

Teams that cannot connect third-party tools or Git apps to private repositories can use Depna’s upload-first workflow for fast security reports.

Supported dependency files

Manifest files identify direct dependencies; lockfiles give resolved versions for stronger direct and transitive vulnerability scanning.

  • package-lock.json
  • yarn.lock
  • pnpm-lock.yaml
  • requirements.txt
  • poetry.lock
  • pom.xml
  • packages.lock.json
  • go.mod
  • composer.lock
  • Gemfile.lock
  • Cargo.lock

Supports 9 ecosystems and common dependency lockfiles

JavaScriptpackage-lock.json
Pythonpoetry.lock
Javapom.xml
PHPcomposer.lock
Gogo.mod
.NETpackages.lock.json
RubyGemfile.lock
RustCargo.lock
Hexmix.lock
Simple by Design

Scan dependency files in minutes,
without code access

No complex setup, no repo permissions, no source-code review. Upload a manifest or lockfile and scan.

01

Upload a dependency file

Create an account and upload a manifest or lockfile — package-lock.json, requirements.txt, pom.xml, go.mod, or any supported format.

Manual upload or CI/CD automation
02

Run a no-code-access scan

Depna analyzes every dependency against continuously updated CVE databases — no repository or source code access required. Upload a lockfile for direct and transitive coverage, or a manifest for direct dependencies.

Powered by Depna engine
03

Instant Alerts

Critical and high-severity vulnerabilities trigger immediate notifications to your configured channels.

Slack, Teams, Discord, Email
04

AI Reports

Receive weekly and monthly AI-powered summaries with executive-ready insights — no technical background needed.

Audit-ready ISO 27001 & SOC 2 PDFs
Core Features

Everything your team needs
for file-based dependency scanning

Built for engineering teams that need dependency vulnerability scanning without source code access, repo permissions, or complex tooling.

Zero Code or Repo Access

Upload only your dependency file. Depna never touches your source code, clones your repository, or requires repository permissions.

  • Works without OAuth or PAT tokens
  • Friendly with corporate security policies
  • Lock files add full transitive coverage

Platform Independent

Not locked to any VCS platform. Works with every Git provider, self-hosted systems, and teams that cannot connect third-party Git apps.

  • GitHub, GitLab, Bitbucket
  • Self-hosted systems
  • CI/CD pipeline integration

Audit-Ready PDFs

Generate audit-ready reports aligned with ISO 27001 and SOC 2 Type II — optionally white-labeled with your own company logo.

  • ISO 27001 A.8.8 coverage
  • SOC 2 CC7.1 audit trail
  • White-label PDFs on Enterprise

Instant Notifications

Get alerted the moment a critical vulnerability is detected, through your team's preferred channels.

  • Email, Slack, Teams & Discord
  • Per-plan channel limits
  • Unlimited channel rules

CI/CD Integration

Plug into your existing pipeline with a single curl command. Auto-scan on every push.

  • GitHub Actions ready
  • GitLab CI compatible
  • Bitbucket Pipelines support
Always Watching

Scan once.
Watched around the clock.

Most tools check your dependencies the moment you ask. Depna keeps checking — your latest file is re-scanned every 2 hours against the newest advisories, so tomorrow's vulnerability reaches you without lifting a finger.

Re-scans every 2 hours
Your latest dependency file is re-checked against the newest advisories automatically — no manual re-upload.
Alerts only on real changes
You hear from us when a new vulnerability appears or an existing one clears — never repeat noise.
Self-correcting resolutions
Auto-fixed findings re-open themselves if a later scan still sees the package as vulnerable.
Weekly & monthly trend digests
Period-over-period summaries show what improved and what regressed across your projects.
Detection → Resolution

Find it, fix it,
and prove you handled it.

Most scanners stop at a list. Depna hands you a ready-to-use patched file and a full resolution trail your auditors can follow.

One-click fix

Download a patched dependency file

Resolution workflow

Every finding gets an outcome

  • Auto FixedCreated automatically when you are already on a safe version — and reverted if a later scan disagrees.
  • Accepted RiskSet a future re-evaluation date; reminder rules can notify 1 month, 1 week, or 1 day before it.
  • False PositiveFlag an incorrect match with an optional note explaining your reasoning.
  • Manual FixedLog your own mitigation with a responsible person and a target remediation date.
Assign a responsible owner to any decision — reminders follow them.
Built for Teams

Enterprise-grade controls,
on by default.

Least privilege, hardened integrations, and strict tenant isolation come standard — not as a paid add-on you have to remember to switch on.

Granular access control

Six built-in roles plus per-project membership decide exactly who can scan, resolve, report, or just observe.

OwnerAdminSecurity AnalystDeveloperManagerAuditor

Verified webhook delivery

Slack, Teams and Discord links are re-checked on every send — and the link itself stays a secret.

  • HTTPS-only, provider-matched links
  • Never displayed again after saving
  • Hidden from every delivery log

Strict data isolation

Every company's data is fully separated and enforced at the query level on every single request — never cross-tenant.

  • Enforced on every request
  • Same rules over the API
  • No shared cross-company access
Feature Comparison

Compare dependency scanners
without repo access

Most dependency scanners require repository access, Git OAuth, or a connected platform. Depna is different by design.

Feature
Depna Recommended
DependabotSnyknpm audit
Repo or source code access requiredSource code visibility neededNot requiredRequiredRequiredLocal CLI
Platform independenceWorks with any VCS providerAll platformsGitHub onlynpm CLI only
Executive summaryNon-technical stakeholder reportsPartial
ISO 27001 / SOC 2 PDFAudit-ready compliance reports
White-label PDFsYour logo, zero vendor branding
AI-powered analysisIntelligent vulnerability summariesPartial
Continuous re-scanningAuto re-check against new advisoriesEvery 2hRepo onlyManual
Ready-to-use fixed fileDownload a patched dependency fileVia repo PRsPartialCLI only
Resolution & risk workflowAccept, dismiss, assign & track findingsPartial
Role-based access controlGranular per-role team permissions6 rolesBasic
SLA & MTTR reportingRemediation KPIs in every reportPartial
Time to first scanUpload-only — no configuration< 2 minutesGitHub configComplexCLI tool
Multiple ecosystemsLanguages & package managersJS only
Transitive (sub-dependency) scanningDetects vulnerabilities in nested dependenciesLock file
Dashboard file uploadUpload dependency file via web UI
CI/CD integrationPipeline automation
Integrations

Works with your
existing stack

Plug a dependency file scanner into your current workflow in minutes. No configuration changes to your repository.

Notification Channels
SlackStarter plan
Microsoft TeamsPro plan
DiscordStarter plan
EmailAll plans

CI/CD Pipeline Scanning

Add a single step to your pipeline. Auto-scan every dependency file or lockfile change.

GitHub ActionsGitLab CIBitbucket PipelinesSelf-hosted
GitHub Actions · .github/workflows/depna.yml
- name: Scan dependencies with Depna
  run: |
    curl -X POST https://depna.io/api/v1/ci/upload/ \
      -H "Authorization: Token ${{ secrets.DEPNA_TOKEN }}" \
      -F "[email protected]" \
      -F "project_name=My Project"
Pricing

Simple, project-based
pricing

Start free and scale as you grow. No hidden fees, no per-seat pricing surprises.

Free
Free

Perfect for individual developers exploring dependency security.

Get started free
  • 1 project
  • Unlimited user seats
  • Email channel (no Slack, Teams, Discord)
  • Unlimited notification rules
  • Monthly security report
  • Real-time vulnerability alerts
  • AI-powered analysis
  • PDF report export
  • White-label PDF reports
  • 8 supported ecosystems
  • CI/CD integration
  • ISO 27001 / SOC 2 report
  • Priority Support
  • Audit-ready ISO 27001 & SOC 2 PDFs
Starter
$19/month

Ideal for small teams shipping products that care about security.

Start Starter plan
  • 3 projects
  • Unlimited user seats
  • Email, 1 Slack, 1 Discord channel
  • Unlimited notification rules
  • Monthly security report
  • Real-time vulnerability alerts
  • AI-powered analysis
  • PDF report export
  • White-label PDF reports
  • 8 supported ecosystems
  • CI/CD integration
  • ISO 27001 / SOC 2 report
  • Priority Support
  • Audit-ready ISO 27001 & SOC 2 PDFs
Enterprise
$99/month

Everything in Pro, with unlimited projects for large-scale teams.

Start Enterprise plan
  • Unlimited projects
  • Unlimited user seats
  • Email, unlimited Slack, Teams & Discord
  • Unlimited notification rules
  • Monthly & yearly security reports
  • Real-time vulnerability alerts
  • AI-powered analysis
  • PDF report export
  • White-label PDF reports
  • 8 supported ecosystems
  • CI/CD integration
  • ISO 27001 / SOC 2 report
  • Priority Support
  • Audit-ready ISO 27001 & SOC 2 PDFs

The 3-day free trial is available on the Pro plan only. No credit card required.

Sample Report

Download a sample annual
security report

See the annual PDF report your team can share with security leadership, customers, and auditors. The sample shows dependency risk summaries, severity trends, SLA/MTTR metrics, and ISO 27001 / SOC 2 evidence mapping.

Annual summaryISO 27001 evidenceSOC 2 mappingSLA / MTTR metrics
Data Security

Enterprise-grade
security standards

Depna is built with security-first principles. Your data is protected at every step — from upload to report delivery.

Files not stored
Dependency files are processed in memory and never persisted on our servers.
TLS 1.3 encryption
All data in transit is encrypted using the latest TLS standard.
API tokens hashed
Tokens are stored as one-way hashes. Plain text is never retained.
GDPR compliant
EU data residency and full GDPR compliance. User data never shared with third parties.
What happens to your data
You upload dependency file via dashboard or CI/CD
File analyzed in isolated memory environment
File permanently deleted after scan completes
Results stored securely in your encrypted account
Alerts delivered through your configured channels
Live in every report

ISO 27001:2022 & SOC 2 evidence, built from your real scan data

9ISO controls
6SOC 2 criteria
SLA · MTTRper severity
A.5.25 satisfied A.8.8 satisfied A.8.9 satisfied A.8.16 partial A.8.28 satisfied CC6.1 satisfied CC7.1 satisfied CC7.2 partial CC8.1 satisfied
Each PDF carries a QR code that opens the live report. Evidence supports your audit — it is not a certification.
Always Improving

Built in the open,
shipped every week

Depna is under active development. Every scan engine update, new ecosystem, and security fix is documented and shipped continuously.

View full changelog
FAQ

Frequently asked
questions

Everything developers and security teams ask before trying Depna — answered in plain language.

Can I use Depna as a dependency scanner without code access?
Yes. Depna is a dependency scanner that works without source code access. It scans the dependency file or lockfile you upload, such as package-lock.json, requirements.txt, pom.xml, go.mod, or Cargo.lock, and does not clone or read your repository.
Is Depna a dependency vulnerability scanner without source code access?
Yes. Depna checks dependency manifests and lockfiles for known vulnerabilities without requiring GitHub, GitLab, Bitbucket, or self-hosted repository permissions. You can scan dependencies without sharing source code or installing a Git app.
Can Depna scan package-lock.json for vulnerabilities?
Yes. Depna can scan package-lock.json to identify vulnerable npm packages, including resolved dependency versions recorded in the lockfile. This makes it useful as a package-lock.json vulnerability scanner for Node.js and JavaScript projects.
Is Depna a lockfile vulnerability scanner?
Yes. Depna scans lockfiles such as requirements.lock, Pipfile.lock, poetry.lock, uv.lock, pdm.lock, package-lock.json, npm-shrinkwrap.json, yarn.lock, pnpm-lock.yaml, gradle.lockfile, go.sum, packages.lock.json, Gemfile.lock, composer.lock, Cargo.lock, and mix.lock. Lockfiles help Depna identify exact resolved versions and transitive dependency vulnerabilities.
What is Depna?
Depna is a dependency security platform that scans your project’s dependency files for known vulnerabilities without requiring access to your source code repository. You upload a dependency file or lockfile — or send it from your CI/CD pipeline — and Depna returns a full vulnerability report in under two minutes.
How does Depna scan dependencies without repository access?
Depna analyzes the dependency file you provide — such as package-lock.json, requirements.txt, pom.xml, go.mod, or Cargo.lock — instead of your source code. It needs no OAuth, no Git app install, and no repository permissions, which keeps it compatible with strict corporate security policies.
Which languages and ecosystems does Depna support?
Depna supports 9 ecosystems: JavaScript/Node.js, Python, Java/Maven/Gradle, PHP, Go, .NET/NuGet, Ruby, Rust, and Hex/Erlang/Elixir. It reads both manifest files and lock files across these package managers.
Does Depna detect transitive (indirect) dependencies?
Yes. When you upload a lock file, Depna resolves the full dependency tree and reports vulnerabilities in both direct and transitive dependencies, labelling each finding so you know where the risk comes from.
How often does Depna re-scan my dependencies?
Depna automatically re-scans each project’s latest dependency file every 2 hours against the latest advisories, so you are alerted to newly disclosed vulnerabilities without having to re-upload anything.
Can Depna fix vulnerabilities, not just find them?
Yes. After a manifest scan, Depna generates a fixed file — a copy of your dependency file updated to the nearest safe versions — that you can download and drop straight into your project.
Does Depna integrate with CI/CD pipelines?
Yes. Depna provides an API-token upload endpoint so you can scan dependencies automatically on every pipeline run with a single request. It works with GitHub Actions, GitLab CI, and Bitbucket Pipelines.
Does Depna produce ISO 27001 and SOC 2 reports?
Depna generates audit-ready PDF reports aligned with ISO 27001 and SOC 2 Type II. Uploaded dependency files are processed in memory and never persisted on Depna’s servers.
Is there a free plan?
Yes. Depna offers a free plan that includes one project, email alerts, and a monthly PDF report, with no credit card required.
How is Depna different from repository-connected scanners?
Unlike tools that require repository access or are tied to a single Git provider, Depna works from an uploaded dependency file or lockfile on any platform. It is designed for teams that need dependency vulnerability scanning without repo access, plus executive-ready reporting, ISO 27001 and SOC 2 Type II aligned PDF reports, and a one-click fixed file for manifest scans.
Get started today — free forever

Scan dependencies
without source code access

No credit card. No repo access. No OAuth. Just upload your dependency file or lockfile and get a full security report.

No credit card required Free plan forever No code access Audit-ready reports