depsec

Supply Chain
Security Scanner

Single binary. Zero config. Detects vulnerabilities, malicious code, hardcoded secrets, workflow misconfigurations, and unexpected network connections.

$ curl -fsSL https://depsec.dev/install | sh
GitHub Documentation
55+
detection rules
317
tests
10.5k
malware detected
14
dependencies
Features

What it catches

PATTERNS 17 rules

Malicious Code Detection

AST-aware analysis via tree-sitter. Catches eval/exec injection, credential harvesting, encoded payloads, install hooks, and obfuscation — while ignoring safe regex.exec() calls.

tree-sitter ASTJS/TS/PythonReachability
SECRETS 23 rules

Secret Detection

20 format-specific regex patterns plus 3 AST-based rules combining variable name analysis with Shannon entropy. Catches AWS keys, GitHub tokens, Stripe keys, PEM files, and more.

Regex + ASTEntropyPre-commit hook
DEPS 8 ecosystems

Dependency Vulnerabilities

Queries the OSV API for all ecosystems in one pass. Parses Cargo.lock, package-lock.json, yarn.lock, pnpm-lock.yaml, Gemfile.lock, go.sum, poetry.lock, and requirements.txt.

OSV APIBatch queriesAll ecosystems
WORKFLOWS 5 rules

Workflow Security

Hardens GitHub Actions. Detects unpinned actions, expression injection via user-controlled inputs, pull_request_target attacks, and overly permissive workflow permissions.

Auto-fixSHA pinningInjection detection
NETWORK Runtime

Network Monitor

Runtime surveillance catches attacks invisible to static analysis: IMDS credential theft, C2 check-ins, DNS exfiltration, reverse shells, and install-time phone-home behavior.

Baseline diffInstall guardShell hook
HYGIENE 4 rules

Repository Hygiene

Checks that SECURITY.md exists, .gitignore covers sensitive patterns (.env, *.pem, *.key), lockfiles are committed, and branch protection is enabled on main.

SECURITY.md.gitignoreBranch protection
Benchmark

Measured, not marketed

100%

Detection rate against 10,582 real malware packages from the Datadog malicious-software-packages-dataset.

Not a synthetic benchmark. Real supply chain attacks extracted from npm and PyPI registries.

npm malware 8,806 / 8,806
PyPI malware 1,776 / 1,776
Design Principles
Own the parsers
AST over regex
No plugins
No secrets required
14 dependencies
Query OSV directly
Compare

All-in-one, not one-of-many

Other tools specialize. depsec covers the full surface — dependencies, code patterns, secrets, workflows, and network — in a single binary.

Feature depsecgitleakstrufflehogguarddogzizmorsnyk
Language Rust Go Go Python Rust SaaS
Single binary
Secrets (regex) 20 800+ 800+
Secrets (AST + entropy)
Malware detection 17 rules
AST-aware analysis tree-sitter semgrep
Vulnerability scan OSV (all)
Workflow security 5 rules 34 rules
Network monitoring
LLM triage
Reachability
Auto-fix
Zero config
Output

Scan, score, ship

One command gives you a security grade with actionable findings. Build-only tools are separated from runtime threats.

Scan Output
$ depsec scan .
depsec v0.9.0 — Supply Chain Security Scanner
Project: my-app
[Patterns]
── ACTION REQUIRED (2 runtime packages) ──
evil-pkg (2 findings)
✗ P001: Shell Execution
node_modules/evil-pkg/index.js:42
✗ P004: Credential Harvesting
node_modules/evil-pkg/lib/steal.js:8
── BUILD TOOLS (safe, 12 findings collapsed) ──
[Dependencies] 0 vulnerabilities (142 checked)
[Secrets] No hardcoded secrets (234 files)
[Workflows] Actions pinned, permissions minimal
[Hygiene] SECURITY.md, .gitignore, lockfile
Scorecard
┌────────────────────────────────────────────┐
DEPSEC SCORECARD 7.8/10 B
├────────────────────────────────────────────┤
Patterns ████████████████░░░░ 80% 2
Deps ████████████████████ 100%
Secrets ████████████████████ 100%
Workflows ████████████████████ 100%
Hygiene ████████████████████ 100%
└────────────────────────────────────────────┘
Grading scale:
A 90-100 B 75-89 C 60-74 D 40-59 F 0-39
Human-readable
JSON (--json)
SARIF (--format sarif)
SVG Scorecard
Install

Get started in seconds

Shell Script
Recommended
$ curl -fsSL \
  https://depsec.dev/install | sh

Auto-detects OS & arch. Verifies SHA-256 checksum. Installs to ~/.local/bin.

Cargo
Build from source
$ cargo install depsec

Requires Rust toolchain. Builds with LTO and strip for minimal binary size.

GitHub Action
CI/CD integration
- uses: chocksy/depsec@v1

SARIF output integrates with GitHub Code Scanning. Exit code 1 on findings.

Targets: x86_64-linux-musl aarch64-linux-musl x86_64-apple-darwin aarch64-apple-darwin
Quick Start
# Scan current project
$ depsec scan .
# Auto-fix GitHub Actions pinning
$ depsec fix .
# Protected package install
$ depsec install-guard npm install sketchy-pkg
# Install pre-commit secret detection
$ depsec hook install
# Deep audit a specific package
$ depsec audit suspicious-package