Snyk is an excellent commercial SCA platform. But if you want to scan a dependency tree right now without creating an account, connecting a repo, or sending your project to a vendor cloud, DepWarden is a free, anonymous alternative. Here's an honest comparison.
DepWarden needs no account and no source upload — you paste a manifest or scan a public repo, and it receives only the dependency manifest text. It's free, including the prioritisation that paid tools meter: exploitability ranking from KEV + EPSS + fix availability. Supply-chain coverage is built in by default — typosquatting and dependency-confusion detection, OpenSSF Scorecard health, deprecation and end-of-life — not an add-on. The CI gate runs with no token dance (npx depwarden scan ... --fail-on high or the GitHub Action), and there's a full compliance round-trip: ingest a CycloneDX/SPDX SBOM, then export an SBOM, an OpenVEX document and a NOTICE/license file.
To be fair: Snyk offers source-level reachability (is the vulnerable function actually called?) and automated fix pull requests via a GitHub app. Both require read/write access to your source. DepWarden deliberately doesn't do these — they're incompatible with the no-account, no-source-upload promise. If you need reachability or auto-fix PRs and are comfortable granting that access, a commercial tool is the right call.
Paste a package-lock.json with an old lodash and a typo'd package name — you'll see prioritised fixes, the typosquat flag and a one-command remediation in seconds. More: software composition analysis, free vulnerability scanner, free SBOM scanner.