Free dependency & supply-chain scanner

DepWarden is a free, anonymous software composition analysis (SCA) tool. Paste a manifest or drop a lockfile and it scans every dependency against live OSV, CISA KEV and FIRST EPSS data, catches typosquats and dependency-confusion attacks, flags risky licenses, deprecated and end-of-life packages, then ranks everything by real-world exploitability and hands you a one-command fix. No account, and we never receive your source code or binaries — only the dependency manifest text you paste.

What DepWarden checks

Why exploitability-first matters

A typical project has hundreds of advisories but only a handful that attackers can actually reach. DepWarden combines CISA KEV, FIRST EPSS, fix availability and dependency depth into a "Fix these first" list, so you spend your time on the issues that matter instead of triaging a wall of CVSS scores.

Private by design

Every scan runs in its own session-isolated workspace. There's no account, no email, and no source upload — DepWarden processes only the manifest text. Sessions expire automatically and you can clear your data at any time, which makes it safe to check a dependency tree you'd never paste into a vendor cloud.

Built for compliance and repeat scanning

Connect a GitHub or Azure DevOps repo branch directly and schedule recurring scans with email reports — no account, no token retained beyond the scan. Ingest a CycloneDX or SPDX SBOM, and export an SBOM, an OpenVEX document and a NOTICE license file.

Every major ecosystem

Works across npm, PyPI, Maven, Gradle, Go, RubyGems, Cargo, NuGet, Composer, Dart (Pub) and Swift — as manifests, lockfiles and SBOMs. Learn more about software composition analysis, the free vulnerability scanner, the free SBOM scanner, or read the blog: a free Snyk alternative and how to detect typosquats in CI.