QODRYX
Documentation
DocsAPICLISDK
DiscordTwitter
DocsAPICLISDK
Docs/Security/Dependency Scanning

Dependency Scanning

Automatically detect vulnerabilities in your project dependencies across all major package ecosystems.

Overview

QODRYX dependency scanning analyzes your project package manifests and lock files to identify:

  • Known Vulnerabilities (CVEs) — Security flaws in your dependencies with severity ratings
  • Outdated Packages — Dependencies with available updates and security patches
  • License Compliance — Detect copyleft or incompatible licenses in your supply chain

Supported Package Ecosystems

npm / yarn / pnpm

package.json, package-lock.json, yarn.lock, pnpm-lock.yaml

Python (pip)

requirements.txt, Pipfile, Pipfile.lock, pyproject.toml

Go

go.mod, go.sum

Ruby

Gemfile, Gemfile.lock

PHP (Composer)

composer.json, composer.lock

Rust (Cargo)

Cargo.toml, Cargo.lock

.NET (NuGet)

*.csproj, packages.config

Java (Maven/Gradle)

pom.xml, build.gradle

How It Works

1

Parse Dependencies

QODRYX reads your manifest and lock files to build a complete dependency tree, including transitive dependencies.

2

Query Vulnerability Databases

Each dependency is checked against NVD, GitHub Advisory Database, OSV, and ecosystem-specific databases.

3

Generate Report

Results are presented with severity ratings, CVE details, affected versions, and upgrade recommendations.

Configuration

Configure dependency scanning in your qodryx.config.json:

{
  "security": {
    "dependencies": {
      "enabled": true,
      "failOnSeverity": "high",
      "ignoredCVEs": [
        "CVE-2021-12345"
      ],
      "licenseDenylist": [
        "GPL-3.0",
        "AGPL-3.0"
      ],
      "scanDevDependencies": false
    }
  }
}

CLI Usage

# Run dependency scan
qodryx scan --dependencies

# Scan with specific severity threshold
qodryx scan --dependencies --fail-on high

# Generate SBOM (Software Bill of Materials)
qodryx sbom --format spdx

# Check for updates
qodryx deps --outdated

Example Scan Results

Vulnerability FoundCRITICAL
Package:lodash@4.17.15
CVE:CVE-2021-23337
Fixed in:4.17.21
Description:

Prototype pollution vulnerability in lodash before 4.17.21.

Best Practices

  • Always commit lock files to ensure reproducible builds and accurate scanning
  • Enable automated PR comments to catch vulnerabilities before merge
  • Set up scheduled scans to detect newly disclosed CVEs
  • Use the SBOM export for compliance and supply chain transparency
  • Configure severity thresholds to match your security policy
SAST ScanningAuto-Remediation