OWASP depscan is an open-source security audit based on known vulnerabilities and advisories for project dependencies. Supports both local repos and container images. Integrates with various CI environments such as GitHub Action, Azure Pipelines, CircleCI, Jenkins, and Google CloudBuild.
Features
- Scan most application code - local repos, Linux container images, Kubernetes manifests, and OS - to identify known CVEs with prioritization.
- Package vulnerability scanning is performed locally and is quite fast. No server is used!
- Generate Software Bill-of-Materials (SBoM) with Vulnerability Exploitability Exchange (VEX) information.
- Perform deep packages risk audit for dependency confusion attacks and maintenance risks (See risk audit)
This project was donated to the OWASP Foundation in 2023.