Our Story

Security shouldn't require
handing over your code

We built Depna because every existing solution demanded repository access just to scan a lockfile. That never made sense to us — and it shouldn't make sense to you either.

Mission

Make dependency security accessible to every team

Most security tooling is built for large enterprises — complex to set up, expensive to run, and intrusive by design. Small teams and startups are left with two bad choices: skip security scanning entirely, or give a third-party service full access to their private repositories.

Depna was built to eliminate that trade-off. Upload a dependency file, get an instant security report. No repository connection. No OAuth tokens. No ongoing permissions. Just results.

We believe that knowing what's vulnerable in your stack is a fundamental right, not a premium feature.

What we stand for

Values we build by

Privacy by design

Your code never leaves your machine. Dependency files are processed in isolated memory and permanently deleted the moment a scan completes — never stored, never logged.

Radical transparency

We publish exactly what data we collect, how long we keep it, and who can see it. Our privacy policy is written to be read, not to bury disclosures in legalese.

Least privilege

We ask for the minimum access needed to do the job. No repository connections, no OAuth tokens, no webhooks unless you choose them. Security tools should model good security practices.

Speed over ceremony

A scan should take seconds, not days of onboarding. From upload to results in under 30 seconds — no setup calls, no integration guides, no professional services required.

Built for builders

We design for developers first — clean APIs, CI/CD-native workflows, and output formats that integrate into your existing process. Security that fits your stack, not the other way around.

Compliance without compromise

We help you prove dependency security to your own customers and auditors. Every report turns your real scan data into audit-ready evidence mapped to ISO 27001 and SOC 2 Type II controls — not a certification, but the proof an audit actually asks for.

Why now

The problem didn't go away — it got worse

Software supply chain attacks have tripled in the last two years. The packages you pull in from npm, PyPI, and Maven aren't just code — they're trust decisions made at scale, often without a second look. One vulnerable transitive dependency can expose your entire application.

At the same time, the tools built to catch these issues have grown increasingly invasive. They need to clone your repository, read your secrets, and maintain persistent access just to parse a text file that lists your dependencies.

We think the security community deserves a tool that respects the principle of least privilege — one that asks for exactly what it needs and nothing more. Depna is that tool.

6+Ecosystems supported
< 30sAverage scan time
0Bytes of your code stored
2024Founded

Want to talk?

Questions, partnership ideas, or security disclosures — we read everything.

Get in touch