Dependency vulnerability scanner — CVEs across six languages, locally.
A dependency vulnerability scanner checks every package your project pulls in against the OSV database of published CVEs. inkode runs the right tool for each language — govulncheck for Go, pip-audit for Python, npm audit for JavaScript and TypeScript, and more — and surfaces vulnerable packages with severity, affected versions, and the fix version, all in one scan.
The right tool for each ecosystem.
Every vulnerable package, with the fix.
AI tools ship your code. They don't update your deps.
When an AI coding tool scaffolds a project, it uses versions from its training data — which may be months or years out of date. The code compiles and tests pass, but the dependency tree is already vulnerable.
A CVE in a direct dependency is easy to spot. A CVE in a package two levels deep in your dependency graph — the one you never named in your manifest — is what actually gets exploited. inkode scans the full lockfile.
Technical due diligence always includes a dependency scan. High-severity CVEs in a pre-fundraise codebase are a negotiation point. Get the list, fix the fixable ones, and explain the rest on your terms.
Wire inkode into CI. Every PR gets scanned. If a new dependency introduces a high-severity CVE, the quality gate fails before it merges. The GitHub Action sets up in under five minutes.
Scan your dependencies for CVEs now
Install in one line. Runs locally — your source code never leaves your machine. No account required for the first scan.