OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.
Risk audit is automatically performed for purl based searches.
Support for malicious packages
Donation panel is now prominently shown in CI (example below). To remove the banner, make a donation to OWASP (or at least tweet about dep-scan) and invoke the cli with the argument --no-banner.
CI=true python depscan/cli.py --purl "pkg:pypi/requests@2.32.1"
╭─────────────────────────────── Donate to the OWASP Foundation ────────────────────────────────╮
│ OWASP foundation relies on donations to fund our projects. │
│ Please donate at: https://owasp.org/donate/?reponame=www-project-dep-scan&title=OWASP+depscan │
╰───────────────────────────────────────────────────────────────────────────────────────────────╯
██████╗ ███████╗██████╗ ███████╗ ██████╗ █████╗ ███╗ ██╗
██╔══██╗██╔════╝██╔══██╗██╔════╝██╔════╝██╔══██╗████╗ ██║
██║ ██║█████╗ ██████╔╝███████╗██║ ███████║██╔██╗ ██║
██║ ██║██╔══╝ ██╔═══╝ ╚════██║██║ ██╔══██║██║╚██╗██║
██████╔╝███████╗██║ ███████║╚██████╗██║ ██║██║ ╚████║
╚═════╝ ╚══════╝╚═╝ ╚══════╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═══╝
Risk audit is automatically performed for purl based searches.
Support for malicious packages
Donation panel is now prominently shown in CI (example below). To remove the banner, make a donation to OWASP (or at least tweet about dep-scan) and invoke the cli with the argument
--no-banner.