Have an SBOM (Software Bill of Materials) and need to know what's wrong with it? DepWarden is a free SBOM scanner: upload a CycloneDX or SPDX document and it inventories every component, matches each against the OSV vulnerability mirror, flags supply-chain and license risk, and ranks findings by exploitability — no account, nothing else uploaded.
Generated an SBOM with Syft, cdxgen, the CycloneDX plugins or your build pipeline? Drop the JSON in. DepWarden parses CycloneDX and SPDX, resolves each package URL (purl) to its ecosystem, and scans it exactly like a live manifest — npm, PyPI, Maven, Go, Cargo, RubyGems, NuGet, Composer, Dart and Swift.
It matches each component against OSV across all ecosystems, enriched with CISA KEV and FIRST EPSS so actively-exploited issues rise to the top. It flags supply-chain risk — typosquats, dependency confusion and OpenSSF Scorecard health — surfaces license obligations via SPDX categorisation with a generated NOTICE/attribution file, and detects end-of-life release lines that no longer receive security fixes.
DepWarden isn't just SBOM-in. It's SBOM-out too: export a fresh CycloneDX SBOM, an OpenVEX document (so downstream consumers know which CVEs actually affect you), and a NOTICE license file — the artefacts auditors and customers ask for.
An SBOM is a snapshot of what your software contains, but it is not a security assessment on its own. New vulnerabilities are disclosed against existing package versions every day, so a component that was clean when the SBOM was generated can be vulnerable a week later. Scanning the SBOM re-checks every component against current advisory data and tells you what changed — which is exactly what regulations like the US Executive Order on cybersecurity, the EU Cyber Resilience Act and customer security questionnaires increasingly expect you to be able to show. Because DepWarden re-scans on demand, you can re-run an old SBOM and instantly see newly-disclosed issues without rebuilding anything.
DepWarden understands both CycloneDX (JSON) and SPDX, including nested component trees and package URLs (purls) across all supported ecosystems. It reads versions, licenses and supplier metadata where present, and falls back to resolving licenses from deps.dev when the SBOM omits them — so even a sparse SBOM produces a complete license and vulnerability picture.
No account, no vendor cloud. The SBOM is processed in a session-isolated workspace and you can clear it anytime. Related: software composition analysis, free vulnerability scanner, DepWarden vs Snyk.