Software Composition Analysis (SCA) is the practice of inventorying the open-source dependencies in your project and checking each one for known vulnerabilities, license obligations and supply-chain risk. Modern apps are 80–90% third-party code, so the question isn't whether you ship other people's bugs — it's whether you can see them. DepWarden is a free SCA tool that answers that in seconds, with no account and without uploading your source.
A real SCA tool builds a dependency inventory from your manifest, lockfile or SBOM — direct and transitive packages. It matches every component against a vulnerability database (DepWarden uses the full OSV mirror) and enriches it with CISA KEV (actively exploited) and FIRST EPSS (exploit probability). It flags license risk — copyleft, unknown or commercially-incompatible licenses, via SPDX categorisation. It catches supply-chain attacks that have no CVE: typosquats and dependency confusion. And it surfaces unmaintained code — OpenSSF Scorecard health, deprecated packages and end-of-life release lines.
Commercial SCA platforms (Snyk, Black Duck, Mend, JFrog Xray) are powerful but require an account, push your project to their cloud, and gate prioritisation behind a paywall. DepWarden runs in a private, session-isolated workspace, takes only the dependency manifest text, and is free. The trade-off is deliberate: no source-level reachability and no auto-fix PRs (both need access to your code), in exchange for true anonymity.
The hard part of SCA isn't finding issues — it's knowing which five of 300 matter. DepWarden ranks findings by real-world exploitability (KEV + EPSS + fix availability + dependency depth) into a "Fix these first" list, then gives you a one-command upgrade that installs only real, advisory-clearing versions.
npm, PyPI, Maven, Gradle, Go, Cargo, RubyGems, NuGet, Composer, Dart (Pub) and Swift — as manifests, lockfiles or CycloneDX/SPDX SBOMs. Run it in the browser, the free CLI, or a GitHub Action in CI. See also the free online vulnerability scanner, the free SBOM scanner, and DepWarden vs Snyk.