Skip to main content

Overview

Cysmiq scans dependency manifests and lock files to identify vulnerable packages and known CVEs across your repositories. Vulnerabilities are matched against advisory databases including CVE and GitHub Security Advisories.

How it works

Dependency scanning parses manifests and lock files to build a complete picture of your dependencies:
  • Direct dependencies: Packages explicitly declared in your manifests
  • Transitive dependencies: Packages pulled in by your direct dependencies (when lock files are present)
  • Vulnerability matching: Package versions are checked against known advisories

Enrichment

Dependency vulnerabilities include additional context to help prioritize remediation:
  • CVE/GHSA identifiers and descriptions
  • Severity scores (CVSS where available)
  • EPSS scores when available
  • Affected version ranges
  • Fixed versions when known
  • Links to advisories and remediation guidance
Package pages also show supply-chain context such as licensing and OpenSSF Scorecard data when available.

Supported package managers

Cysmiq supports manifests and lock files for:
  • JavaScript/TypeScript: npm, Yarn, pnpm
  • Python: pip, Poetry, Pipenv, PDM, uv
  • Java/Kotlin: Maven, Gradle
  • Go: Go modules
  • PHP: Composer
  • Ruby: Bundler
  • Rust: Cargo
  • .NET: NuGet, Paket
  • Elixir/Erlang: Mix, Rebar
  • Swift: Swift Package Manager
See Package Managers & Manifests for the full manifest file reference.

SBOMs

SBOMs are generated from dependency data. See SBOMs for details.