AppThreat dep-scan is now OWASP dep-scan


Prabhu Subramanian

Thursday, October 5, 2023

We are super excited to announce a free open-source dependency audit tool, OWASP dep-scan. The project enables auditing the software supply-chain dependencies, container images, and operating system for known vulnerabilities, and advisories. Special thanks to AppThreat for donating the project.

Tuned and Ready to use

OWASP flagship projects such as Dependency-Track, Dependency Check are used by organizations worldwide to secure the software supply-chain. dep-scan adds to the arsenal of tools by:

  • integrating with OWASP CycloneDX Generator (cdxgen) for effortless scanning of polyglot and mono-repo applications and services
  • including prioritization logic to make the results actionable for developers and AppSec
  • generating results in OWASP CycloneDX VDR/VEX format for easy third-party integration

A single command invocation is often enough to integrate and get the exact results in the CI/CD workflow.

Licensed to thrill

dep-scan and the vulnerability database is licensed under the OSI-approved MIT license to encourage enterprise adoption and bundling.

Future Releases

The project team led by Prabhu Subramanian and Caroline Russell has plans to add the following features over the coming releases.

  • Reachability and Exploitability Analysis to automate VEX generation
  • OASIS CSAF VEX Support
  • Many more

Go ahead, and give this project a scan!