Dependency vulnerability scanner — CVEs across six languages, locally.

A dependency vulnerability scanner checks every package your project pulls in against the OSV database of published CVEs. inkode runs the right tool for each language — govulncheck for Go, pip-audit for Python, npm audit for JavaScript and TypeScript, and more — and surfaces vulnerable packages with severity, affected versions, and the fix version, all in one scan.

Scan My Dependencies Block CVEs in CI

The right tool for each ecosystem.

LanguageToolWhat it scans
GogovulncheckOSV CVEs against go.sum. Walks call graphs from main to confirm the vulnerable code is actually reachable — not just in a transitive dep you never call. The official Go security team's tool.
Pythonpip-auditPyPI Advisory Database and OSV CVEs against requirements.txt, Pipfile.lock, and pyproject.toml lockfiles. Maintained by the Python Packaging Authority.
JavaScript / TypeScriptnpm auditnpm Advisory Database against package-lock.json. Reports critical, high, moderate, and low severity findings with CVE references and the minimum safe version.
Javamvn dependency-checkOWASP Dependency-Check against Maven POM. Scans JAR files and third-party libraries against the NVD CVE database.
Rustcargo auditRustSec Advisory Database against Cargo.lock. The official security advisory database for the Rust ecosystem.

Every vulnerable package, with the fix.

$ ik run inkode · my-app (Go + Python) Dependency Audit 5 findings 3.4s golang.org/x/net v0.0.0-20220722155237 → fix: v0.17.0 GO-2023-2102 CVSS 7.5 HTTP/2 rapid-reset DoS golang.org/x/crypto v0.0.0-20210921165927 → fix: v0.1.0 GO-2022-0969 CVSS 7.5 Panic in crypto/elliptic IsOnCurve requests 2.27.1 → fix: 2.31.0 PYSEC-2023-74 CVSS 6.1 Proxy-Authorization header leak cryptography 38.0.4 → fix: 41.0.0 PYSEC-2023-112 CVSS 5.9 OpenSSL buffer over-read pillow 9.1.1 → fix: 9.3.0 PYSEC-2022-43012 CVSS 5.5 Uncontrolled resource consumption Score 54 / 100 grade D (security: 28) Report .ik/brief.html

AI tools ship your code. They don't update your deps.

AI-generated code pins old versions

When an AI coding tool scaffolds a project, it uses versions from its training data — which may be months or years out of date. The code compiles and tests pass, but the dependency tree is already vulnerable.

Transitive deps are the real risk

A CVE in a direct dependency is easy to spot. A CVE in a package two levels deep in your dependency graph — the one you never named in your manifest — is what actually gets exploited. inkode scans the full lockfile.

Catch it before investors do

Technical due diligence always includes a dependency scan. High-severity CVEs in a pre-fundraise codebase are a negotiation point. Get the list, fix the fixable ones, and explain the rest on your terms.

Block vulnerable deps from merging

Wire inkode into CI. Every PR gets scanned. If a new dependency introduces a high-severity CVE, the quality gate fails before it merges. The GitHub Action sets up in under five minutes.

Scan your dependencies for CVEs now

Install in one line. Runs locally — your source code never leaves your machine. No account required for the first scan.

Scan Free Set Up CI Quality Gate