Depna Documentation

01 What is Depna?

Depna is a SaaS platform that continuously monitors the third-party dependencies (libraries, packages) used in your software projects for known security vulnerabilities. Unlike traditional tools, Depna does not require access to your source code repository — simply upload your dependency file and get results.

The platform detects vulnerabilities, ranks them by severity, offers automated fix suggestions, and generates comprehensive reports for both technical teams and non-technical stakeholders.

Key Features

• No repository access required — upload-only workflow
• Supports 8 ecosystems: Python, Node.js, Java, PHP, Go, .NET, Ruby, and Rust
• Automatic re-scanning every 2 hours against the latest threat databases
• AI-powered security analysis and actionable recommendations
• Audit-ready ISO 27001 and SOC 2 PDF reports
• Email, Slack, Microsoft Teams, and Discord notifications (channel limits vary by plan)
• CI/CD pipeline integration via API tokens
• Role-based access control with 6 distinct roles

02 Getting Started

2.1 Creating an Account

To register for Depna, you need to provide:

• First name
• Last name
• Email address
• Password
• Company name
• Country (2-letter ISO code, e.g. US, TR)

Upon registration, a company account is automatically created and you become the Owner of that company. You can later invite team members to join your organization.

2.2 Sign In & Session Management

Sign in with your email and password. Your session is secured automatically and stays active while you use Depna. The session is renewed in the background, so you do not have to sign in again repeatedly. Signing out ends your session immediately.

2.3 Password Reset

If you forget your password, use the "Forgot Password" flow. A 6-digit verification code is sent to your email address. The code is valid for 15 minutes. After verifying the code, you can set a new password.

03 Dashboard

The Dashboard provides a single-screen overview of your organization's security posture. The following metrics are displayed:

• Total projects and your plan's project limit
• Total scans performed
• Open findings (unresolved vulnerabilities)
• Critical findings count
• Recent scans — the latest 10 scans with project name, status, ecosystem, package counts, and date

04 Projects

A project represents a single software application or service. Each project can have one or more dependency files uploaded, and a full scan history is maintained.

4.1 Creating a Project

To create a new project, simply provide a project name. That's it — no complex configuration needed.

4.2 Project Members

Company members can be added to individual projects. The project owner or an admin can perform this action. A role is assigned at the time of addition (see Section 08 for role details).

Only the company Owner can see and access every project in the organization. All other roles — including Admins — only see projects they have been explicitly added to as members.

4.3 Active and Inactive Projects

Each project displays an Active or Inactive status. While a project is active, it takes part in automatic re-scans, CI/CD uploads, and notification delivery. While a project is inactive, automatic re-scans stop, CI/CD uploads for that project are rejected, and notifications stop being sent. Past scans, findings, and resolution records are preserved and remain visible in read-only mode.

4.4 Deleting a Project

When a project is deleted, its scan history and all findings are permanently removed. This action can only be performed by a project admin or company admin, and cannot be undone.

05 Scans

5.1 How It Works

To start a scan, upload your dependency file to a project. Depna analyzes the file, extracts the packages, and cross-references them against continuously updated security vulnerability databases.

The scanning process follows these steps:

• File is uploaded and validated
• Ecosystem is automatically detected (e.g. requirements.txt → Python/PyPI)
• All packages are added to the tracking list
• Security vulnerability databases are queried for matches
• Findings are created and classified by severity
• Notification rules are triggered upon completion

5.2 Supported Ecosystems

5.3 Transitive Coverage

Dependency files come in two forms, and the form you upload determines how deep Depna can see into your dependency tree:

• Manifest files (e.g. requirements.txt, package.json, Gemfile) list only the packages you directly declared. Depna scans these direct dependencies.
• Lock files (e.g. package-lock.json, yarn.lock, poetry.lock, Cargo.lock) pin the fully resolved dependency tree — including the transitive dependencies pulled in by your direct ones. Uploading a lock file gives you full coverage of both direct and transitive packages.

On a completed scan, each finding is labelled Direct or Transitive where that information is available, so you can tell whether a vulnerable package is one you declared or one inherited through another package. Most lock files also list the parent package(s) that pulled a transitive dependency in, which is shown on the finding to help you decide where to apply the fix.

5.4 Scan Statuses

• Pending — Scan is queued, not yet started
• Running — Analysis is in progress
• Completed — Analysis finished, results are ready
• Failed — An error occurred. Check the file format and try again

When viewing a pending or running scan, the page automatically polls for updates every 5 seconds until the scan completes.

5.5 Automatic Re-scanning

Depna automatically re-scans every project's latest dependency file every 2 hours. This ensures you receive alerts for newly discovered vulnerabilities without any manual intervention.

5.6 Fixed File Download

After a completed manifest scan, you can download a "Fixed File" — a version of your dependency file updated with the latest secure versions of all fixable packages. You can drop this file directly into your project. This download is not offered for lock-file scans (see 5.3) — lock files cannot be safely rewritten, so use the per-finding remediation guidance instead.

06 Findings

A finding represents a specific security vulnerability detected in a package. Each finding is associated with a CVE or security advisory record.

6.1 Severity Levels

6.2 Finding Details

Each finding includes the following information:

• Package name and installed version
• CVE number and vulnerability title
• CVSS score (0–10 numeric risk rating)
• Severity level
• Fixed version (if available)
• Resolution status

6.3 Open vs. Resolved Findings

A finding is either open (unresolved) or resolved. Only open findings are counted in the Dashboard metrics and included in reports. See the next section for resolution management.

07 Resolution Management

For each finding, you can create a resolution record. This allows your team to track which vulnerabilities have been addressed and which have been consciously accepted.

7.1 Resolution Types

Auto Fixed

If the installed package version is equal to or higher than the version where the vulnerability was fixed, Depna automatically creates this resolution. No user action needed. If a subsequent scan reveals the package is still vulnerable, the resolution is automatically reverted.

Accepted Risk

Use this when you determine the vulnerability does not pose a real risk to your project. A re-evaluation date is required (must be a future date) and cannot be left blank. As the re-evaluation date approaches, Depna sends a reminder email every day for the final three days leading up to the date, so the responsible owner has a clear window to re-assess the decision before the deadline. You can optionally assign a responsible user who owns the re-evaluation.

False Positive

If you believe the scan produced an incorrect match, mark the finding as a false positive. You can optionally add a note explaining your reasoning.

Manual Fixed

Use this when you have updated the package or otherwise mitigated the vulnerability yourself. You can assign a responsible person and a target remediation date. The responsible user, if set, must be an active company member for the same reason as accepted risk decisions.

7.2 Reopening a Resolution

Any resolution can be reopened (except auto-fixed ones). When reopened, the finding returns to "open" status and is re-included in reports and dashboard metrics.

7.3 Resolution List

You can view all resolution records company-wide or filtered by project. Filtering by resolution type and package name is also supported.

08 Roles & Permissions

Depna uses role-based access control. Each user is assigned a role when added to a project. Roles are fixed at the organization level and cannot be customized.

8.1 Role Definitions

• Owner — The account creator. Has all permissions including plan management, account deletion, and editing company settings. Each organization has exactly one Owner.
• Admin — Full organizational access. Can create/delete projects, invite/remove members, edit company settings, manage notification channels, download reports, and use API tokens. Cannot manage the plan or delete the account.
• Security Analyst — Security-focused role. Can upload files, view scan results, resolve/reopen findings, download fixed files, view the resolutions list, manage notification channels, download reports, and use API tokens. Cannot manage projects, members, or company settings.
• Developer — Day-to-day engineering role. Can upload files, view scan results, resolve/reopen findings, and use API tokens. No access to resolutions list, reports, notifications, or fixed file downloads.
• Manager — Business oversight role. Can view scan results and download reports. Cannot upload files, resolve findings, manage notification channels, view notification logs, or use API tokens.
• Auditor — Read-only compliance role. Can view scan results, download fixed files, view the resolutions list, download reports, view notification logs, and view the audit log. Cannot upload files, resolve findings, manage notification channels, or use API tokens.

8.2 Permission Matrix

09 Notifications

Depna automatically notifies your team when security events occur. The notification system consists of two components: channels and rules.

9.1 Notification Channels

A channel defines where notifications are sent. Four channel types are supported:

• Email — No additional configuration needed. Notifications are sent to users with the appropriate role permissions. Email channel on all plans.
• Slack — Create an Incoming Webhook URL from your Slack workspace and add it to the channel configuration. Starter: 1 channel, Pro: 2 channels, Enterprise: unlimited.
• Microsoft Teams — Create an Incoming Webhook URL for your Teams channel. Pro: 2 channels, Enterprise: unlimited. Not available on Free or Starter plans.
• Discord — Create a Webhook URL from your Discord server channel settings (Integrations → Webhooks). Starter: 1 channel, Pro: 2 channels, Enterprise: unlimited. Not available on Free plan.

9.2 Webhook Link Safety

Slack, Microsoft Teams, and Discord channels use webhook links that you paste in when adding a channel. Depna checks each link when you save it and again every time a notification is about to be sent, so that:

• Only secure https:// links are accepted. Plain, unencrypted links are rejected.
• The link must point to a real, public address belonging to the matching messaging provider. Links pointing anywhere else are blocked, so notifications can never be redirected unexpectedly.
• A Slack channel must use a Slack webhook, a Teams channel must use a Teams webhook, and a Discord channel must use a Discord webhook. Mixing providers is rejected with a clear error.
• The full webhook link is treated as a secret. It is never shown again after you save it, and any mention of the link in delivery logs is hidden, so sharing a screenshot of the log will not leak it.

9.3 Who Receives Email Notifications

For email channels, Depna only sends to active teammates whose role is allowed to receive notifications:

• Owner — receives notifications for every project in the company.
• Admin, Security Analyst, Developer, Auditor — receive notifications only for projects they are a member of.
• Manager — does not receive email notifications, even when added to a project.

If a teammate's account is deactivated or removed, they stop receiving every type of email, including weekly and monthly summaries. Both Project Settings and Company Settings display a small badge next to each member showing whether that person will actually receive notifications, so you do not have to guess.

9.4 Notification Rules

A rule defines which project sends notifications to which channel, and under what condition. Rules are managed from the Notifications → Rules tab. All plans include unlimited notification rules — there is no cap on how many rules you can create.

Rules are per channel. If you have two Slack channels, each one requires its own rule to specify which project it should receive notifications for. For example, if you have Slack #team-a and Slack #team-b, you must create a separate rule for each channel — one pointing to Project A and one pointing to Project B. A channel that has no rule assigned will never receive any notifications.

Supported triggers:

• Scan completed — Fires when any scan finishes successfully
• Vulnerability found — Fires when a new finding at or above a specified minimum severity is detected. Although Depna rescans every 2 hours, a notification is sent only when a new vulnerability is discovered or an existing one is resolved. No notification is sent if there are no changes.
• Weekly summary — Sends a weekly digest comparing the current period's results against the previous week. Includes newly discovered vulnerabilities, resolved findings, and trend data. Available on Starter plan and above.
• Monthly summary — Sends a monthly digest comparing the current period's results against the previous month. Includes newly discovered vulnerabilities, resolved findings, and trend data.

When editing a notification channel, if changing the channel type would exceed your plan's channel limit, the update will be rejected.

9.5 Notification Logs & Retention

Every notification Depna sends is written to a log you can browse from the dashboard. For each entry you can see the date, what triggered it, which channel it went to, and whether delivery succeeded. Webhook links are hidden in the log, so it is safe to share with the rest of your team.

9.6 Inactive Projects Pause Notifications

When a project is Inactive (see Section 4.3), every notification rule tied to that project stops firing until the project becomes Active again. This covers scan-completed, vulnerability-found, weekly summary, and monthly summary alerts. As soon as the project returns to Active, notifications resume on the next matching event — nothing needs to be re-created.

10 Reports

Depna generates PDF reports summarizing your organization's overall security posture. Reports are designed for both technical teams and non-technical managers.

10.1 Report Types

• Monthly — Generated on the 1st of every month at 07:00 GMT. Covers the previous calendar month. Available on all plans (Free, Starter, Pro, Enterprise).
• Yearly — Generated on January 1st of every year at 07:00 GMT. Covers the previous full calendar year. Available on Pro and Enterprise plans only.

10.2 Report Contents

Each report includes the following sections:

• Executive Summary — Overall security status, critical findings, and priority recommendations
• AI-Powered Security Analysis (Starter+) — AI-generated risk assessment, trend analysis, and suggested actions
• Scope & Methodology — Scanned projects, ecosystems, and scanning methodology
• Summary Statistics — Total packages, vulnerable packages, finding counts, severity distribution
• Most Critical Findings — The most severe vulnerabilities ranked by severity
• Resolution Status — Breakdown of accepted risks, false positives, and fixed packages
• SLA & MTTR — SLA compliance per severity plus average Mean Time To Resolve (MTTR, in days)
• ISO 27001:2022 & SOC 2 Compliance Evidence (Pro+) — Live evidence mapped to 9 ISO 27001:2022 controls (A.5.25, A.5.26, A.5.37, A.6.8, A.8.2, A.8.8, A.8.9, A.8.16, A.8.28) and 6 SOC 2 criteria (CC6.1, CC7.1, CC7.2, CC7.3, CC7.4, CC8.1). Each control is tagged as ✓ satisfied, ◐ partial, or ✗ not evidenced based on scan counts, coverage percentage, and resolution activity. Includes a FedRAMP / CISA KEV / NIST comparison note.

10.3 AI Analysis

On Starter and above plans, reports include an AI-generated analysis section covering key findings, suggested actions with priority ranking, trend assessment, and SLA risk warnings for overdue or approaching remediation deadlines.

10.4 White-label PDF Reports Enterprise

Enterprise customers can ship PDF reports with their own branding instead of Depna's. Once a company logo is uploaded from Settings → Company → PDF Branding, every generated PDF on the Enterprise plan automatically switches to your brand:

• Your logo replaces the Depna logo on cover pages, headers, and footers
• All "Depna" references are removed from the report body
• The downloaded filename uses your company slug (e.g. acme-report-2026-04-10.pdf)

Only the Owner or an Admin can upload, replace, or remove the logo. Supported formats: PNG, JPG, JPEG. Maximum size: 512 KB. Maximum dimensions: 2000 × 2000 px. If the plan is downgraded below Enterprise, the logo is retained in your account but PDFs fall back to default Depna branding.

10.5 Report Availability

A report is marked as successfully generated as soon as it is created, regardless of whether the delivery email could be sent. If a technical issue prevents the email notification from being delivered, the report remains accessible from the Reports section of your dashboard.

10.6 Download Limit

Each person can download up to 15 reports per hour. If you go over that limit, Depna asks you to wait a few minutes before trying again. Every teammate has their own quota, so larger teams do not feel it in practice.

10.7 QR Codes on the PDF Cover Page

Every generated PDF includes a QR code on the cover page. Scanning it from your phone opens the matching report inside Depna so you can review the same data online without hunting through the dashboard. The shortcut still respects your account's permissions:

• If you are not signed in, you are sent to the sign-in page first and then returned to the report.
• If your role or company does not have access to the report, a clear "not allowed" message is shown.
• If the report has since been removed, a friendly "report not found" message is shown instead of a broken page.

The report page also has a Download PDF button that counts against the same download limit as the Reports list.

11 API Tokens & CI/CD

11.1 What is an API Token?

An API token is a secure authentication key for programmatic access to Depna. Use it to trigger automated scans from your CI/CD pipelines.

11.2 Creating a Token

When creating a new API token:

• Provide a descriptive name (e.g. "GitHub Actions CI")
• Set an expiration date — required, must be in the future and within 90 days
• The full token value is shown only once at creation time — copy and store it securely

11.3 CI/CD Integration

CI/CD integration is available on Starter and above plans. You can automatically send your dependency file to Depna after every build in your pipeline.

The request should include:

• Authorization header: Bearer <api_token>
• Project name matching your Depna project
• The dependency file to upload

- name: Depna Scan
  run: |
    curl -X POST https://depna.io/api/v1/ci/upload/ \
      -H "Authorization: Token ${{ secrets.DEPNA_TOKEN }}" \
      -F "project_name=my-project" \
      -F "[email protected]"

11.4 CI/CD Upload Rate Limit

The CI/CD upload endpoint is rate-limited at 10 requests per minute per API token. Requests beyond this limit are rejected as too many requests and the pipeline step will fail so the developer is notified immediately.

Each token has its own independent quota. Teams with highly parallel CI pipelines (e.g. large matrix builds) should consider creating separate tokens per pipeline to stay comfortably within the limit.

11.5 Token Best Practices

• Revoke unused tokens promptly
• Use descriptive names to identify each token's purpose
• Rotate tokens regularly — the maximum lifetime is 90 days
• Create separate tokens for different environments (staging, production)
• Split high-volume CI workloads across multiple tokens to distribute the rate limit

12 Account & Company Settings

12.1 Profile Settings

From the Profile tab in Settings, you can:

• Update your first and last name
• Change your password (current password verification required)
• Permanently delete your account (password confirmation required, Owner only)

Your email address is read-only and cannot be changed.

12.2 Company Settings

From the Company tab, organization information (company name, tax ID, country, city, address, phone, website, and industry) can be viewed by all members. However, editing and saving changes is restricted to Owner and Admin roles only. Members with other roles will see the fields in read-only mode.

Plan information and project limits are always read-only and can only be changed by upgrading your plan (Owner only).

12.3 Team Management

From the Members tab, Owner and Admin can invite new members by providing their email address, first name, and last name. An invitation email is sent to the new member with a link to set their password. To gain access to project data, the member must also be added to at least one project with a role assigned.

Inviting and removing members is restricted to Owner and Admin roles. The company Owner cannot be removed.

13 Plans & Limits

13.1 Free Trial Pro

The 3-day free trial is available on the Pro plan only — the Free, Starter, and Enterprise plans do not include a trial. No credit card is required to start it. When the trial ends, your account reverts to the Free plan unless you add payment details and upgrade.

13.2 What Happens When You Downgrade

If you move to a plan whose limits are lower than your current usage, Depna does not delete any data. Items that no longer fit the new plan are simply paused for you:

• Projects — the oldest projects that fit within the new limit stay active, and anything extra is paused. Their scans, findings, and history are kept.
• Notification channels — if you have more channels than the new plan allows, the oldest channels that fit stay active and the rest are paused.
• Notification rules — rules attached to paused channels or paused projects are paused alongside them.

13.3 Payment Issues & Expiration

If a subscription renewal payment fails, your subscription is marked as past due. While the subscription is past due, your current plan features stay fully active and you have time to fix the payment (update the card, retry the charge, etc.). As soon as the payment is captured successfully, the subscription returns to active automatically.

If the payment issue is not resolved within 14 days, the subscription automatically transitions to expired and your plan is downgraded to Free. At that point the soft-suspend behaviour described above applies and any excess resources are deactivated. We strongly recommend resolving card issues within this window to avoid disruption.

14 Security & Compliance

14.1 Data Isolation

Each company's data is fully isolated. Users of one company can never access another company's data. This isolation is enforced at the query level on every request.

14.2 Audit Log

All significant actions in the system (project creation, scan initiation, member invitations, password changes, etc.) are recorded in the audit log. Records are preserved even if the user is deleted. The audit log can never be deleted or modified. Access to the audit log is role-based — see Section 15 for the full breakdown of who can see what.

14.3 GDPR / KVKK Compliance

Audit logs are designed to minimise personal data. When a user is deleted, their email address is decoupled from log records, but the action history is preserved for historical accuracy. For Auditor role access, IP addresses and browser/device information are additionally hidden by the platform to comply with data minimisation principles — see Section 15.

14.4 Token Security

API tokens are stored only in a securely hashed form. The original token value is never stored or retrievable by the system. A lost token must be revoked and replaced with a new one.

14.5 Webhook Link Handling

The webhook links you add for Slack, Microsoft Teams, and Discord are treated as secrets. Each link is checked when you save it and again every time a notification is sent, so only secure, public, provider-specific addresses are accepted. Links are never shown again after you save them and never appear in notification logs — the log always hides them in place of the real link.

14.6 Log Retention

Notification log entries are kept for 7 years so they can be used as evidence during security and compliance audits. Retention is the same on every plan, and entries are read-only — they cannot be edited or deleted from the dashboard.

15 Audit Log

The Audit Log is an append-only, tamper-resistant record of security-relevant actions performed in your organization. It lets compliance teams answer the classic "who did what, when, from where" question during reviews and incidents — without relying on database access.

15.1 What Gets Recorded

Every entry captures:

• Timestamp — UTC time of the action
• Actor — Email of the user who performed the action (or System for automated jobs)
• Action — The type of action that was performed, with a clear description
• Resource — Type of resource affected (user, project, scan, report, token, notification, company, billing) and its identifier
• Description — Short human-readable summary
• IP address & Browser/device information — Origin of the request (may be hidden; see 15.3)
• Additional context — Extra details such as target role, resource name, and related flags

15.2 Recorded Actions

The following actions are recorded by the platform:

15.3 Role-Based Access

Audit Log visibility is scoped to the minimum that each role needs to do their job. Access is enforced by the platform — not just hidden in the interface — so direct API calls obey the same rules.

15.4 Security Analyst Scope

Security Analysts see only the actions directly relevant to their security-operations role:

• Sign in, Sign out, Password changed
• File uploaded, Scan started, Scan completed
• Report generated, Report downloaded
• API token created, API token revoked
• Notification channel created, Notification channel deleted

Actions outside this list (member management, project create/update/delete, billing, etc.) are hidden from Security Analysts even when filtered for explicitly.

15.5 Browsing & Filtering

The Audit Log page supports the following filters:

• Search — Free-text search across actor email, resource, and description
• Action — Filter by a specific action (the dropdown for Security Analysts only shows the actions they are allowed to see)
• Resource type — Filter by user, project, scan, report, token, notification, company, or billing
• Sort — Newest first (default), oldest first, action A–Z or Z–A

Results are paginated at 10 entries per page and all active filters are reflected in the page address so entries can be shared, bookmarked, and re-opened in the same state.

15.6 Programmatic Access

The same audit log data can also be accessed programmatically for integration with your security tooling and compliance workflows. Filtering by action, resource type, user, and free-text search is supported, with paginated results sorted by date. Role-based filtering and the hiding of sensitive fields for the Auditor role apply identically over programmatic access.

15.7 Immutability & Retention

Audit entries are append-only. They cannot be edited or deleted through the dashboard, the API, or a support ticket. When a member is removed from the organization, their past entries are preserved — only the link back to the user account is cleared.

Entries are retained for 7 years to support ISO 27001, SOC 2, and GDPR audit requirements. Retention is identical on all plans.