Skip to main content

Overview

Use Packages to review dependency packages discovered from manifests across repositories. Package views help you answer where a dependency is used, which versions are present, which repositories contain it, and whether it has linked vulnerabilities or policy issues. Package versions are shown inside package details.

When to use packages

  • Find every repository or manifest using a package
  • Compare direct and transitive usage
  • Review package versions in use
  • Check package and version licenses
  • Review OpenSSF scorecard data when available
  • Drill into active dependency vulnerabilities
  • Manage package policy decisions or rules when policies are enabled

Package list

The Packages list shows package name, type, licenses, version count, OpenSSF score, active vulnerabilities, recent advisories, usage, repositories, first seen date, last updated date, policy status when policies are enabled, and row actions. Use the list to filter by:
  • Package type
  • Package name
  • Namespace
  • Package URL
  • Direct, transitive, or combined usage
  • Whether vulnerabilities are present
  • OpenSSF score
  • Recent advisories
  • License
  • License status
Select one or more rows to export package data.

Package detail view

Open a package to review:
SectionWhat it shows
DetailsPackage URL, type, namespace when available, name, first seen date, and package data sync time when available.
LicensingLicense names, license IDs, OSI approval status, deprecated status, and links to license references when available.
OpenSSF ScorecardOverall score and individual scorecard checks when scorecard data is available.
Package VersionsVersions observed in manifests, version licenses, package URLs, direct usage, transitive usage, total manifests, repositories, linked vulnerabilities, and first seen date.
SummaryTotal versions, direct usage, transitive usage, total manifests, repositories, vulnerabilities, license count, OpenSSF score, and policy state when available.

Usage drilldowns

Usage counts on package and package version details link to filtered views:
CountOpens
Direct UsageManifests where the package or version appears as a direct dependency.
Transitive UsageManifests where the package or version appears as a transitive dependency.
Total ManifestsManifests that reference the package or version.
RepositoriesRepositories that contain manifests referencing the package or version.
VulnerabilitiesActive dependency vulnerabilities linked to the package or version.
Use these links when you need to move from package-level risk into the exact repositories and manifests that use the dependency.

Package versions

Package versions show version-specific usage and vulnerability data. Use package versions to decide whether risk is tied to every use of a package or to specific versions. A package version can show a different license set from the package summary when Cysmiq has version-specific license data.

Policy status

When package policies are enabled, the package detail page can show policy state in the summary and package version rows. Public status labels include:
  • Compliant
  • Violation
  • Needs review
  • Exception
Policy actions can include package review decisions and scoped allow or deny rules, depending on policy configuration and your role.