Dependo gates your dependencies at the CI/CD level. Automated vulnerability scanning, signature verification, license compliance, maintainer trust analysis, and SBOM generation—powered by 19 background workers for enterprise-scale throughput.
Protecting dependencies across modern development stacks
From vulnerability scanning to SBOM generation, Dependo provides comprehensive dependency governance for enterprise teams.
Block vulnerable or non-compliant packages at the CI/CD level. Configurable rules evaluate every dependency before it reaches production.
Real-time scanning against NVD and GitHub Security Advisories with intelligent rate limiting and caching.
Automatically categorize licenses, detect GPL/copyleft risks, and enforce license policies across your organization.
Automatic Software Bill of Materials generation in CycloneDX 1.5 and SPDX 2.3 formats with SHA256 integrity verification.
Route blocked packages through approval workflows. Security teams can review, approve, or reject exception requests.
Resolve packages from private NuGet feeds. Credentials are encrypted with AES-256-GCM and isolated per account.
Verify package authenticity with Sigstore, X.509, and PGP signatures. Configurable verification levels from None to Strict across all 10 ecosystems.
Organization-wide health scoring with time-series metrics. Track vulnerability trends, license compliance rates, and maintainer trust across all repositories.
Configure granular rules across four critical dimensions. Each category provides specialized checks to protect your software supply chain.
Protect against known vulnerabilities and malicious packages before they enter your codebase.
Enforce license policies and maintain audit trails for regulatory requirements.
Ensure package health and maintainer reliability for long-term stability.
Verify package provenance and detect tampering across the entire dependency tree.
CI/CD pipeline runs Dependo CLI to auto-detect and verify manifest files (package-lock.json, .csproj, packages.lock.json).
# Install and run Dependo CLI
$ npm install -g @dependo/cli
$ dependo verify \
--rule-sets your-rule-set-name \
--wait --verbose19 specialized RabbitMQ workers analyze packages concurrently: vulnerability scanning, signature verification, license detection, and maintainer trust scoring.
Packages evaluated against configurable rule sets. Violations trigger blocks or approval requests.
Verification result returned: Passed, Rejected, or RequiresApproval. CI/CD pipeline proceeds or fails accordingly.
Dependo supports the most popular package ecosystems with unified governance policies.
package.json, package-lock.json
Full Support.csproj, packages.lock.json
Full Supportpom.xml
Supportedrequirements.txt, Pipfile
Supportedgo.mod, go.sum
SupportedCargo.toml, Cargo.lock
SupportedGemfile, Gemfile.lock
Supportedcomposer.json, composer.lock
Supportedbuild.gradle, gradle.lockfile
Supportedpyproject.toml, poetry.lock
SupportedInstall the CLI, add one command, and you're protected. Auto-detects manifests and git context.
name: Dependo Package Verification
on: [push, pull_request]
jobs:
verify-dependencies:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Dependo CLI
run: npm install -g @dependo/cli
- name: Verify packages
env:
DEPENDO_API_KEY: ${{ secrets.DEPENDO_API_KEY }}
run: |
dependo verify \
--rule-sets ${{ vars.DEPENDO_RULE_SETS }} \
--wait \
--verbosetrigger:
- main
pool:
vmImage: 'ubuntu-latest'
steps:
- task: NodeTool@0
inputs:
versionSpec: '20.x'
- script: npm install -g @dependo/cli
displayName: 'Install Dependo CLI'
- script: |
dependo verify \
--rule-sets $(DEPENDO_RULE_SETS) \
--wait \
--verbose
displayName: 'Verify packages'
env:
DEPENDO_API_KEY: $(DEPENDO_API_KEY)# Create verification
POST /api/v1/package-gate/verify
Content-Type: application/json
X-API-Key: your-api-key
{
"repositoryName": "myorg/myrepo",
"branch": "main",
"commitHash": "abc123...",
"projectFiles": [
{
"fileName": "package-lock.json",
"content": "<base64-encoded>"
}
],
"ruleSetIds": ["uuid-1", "uuid-2"]
}
# Response
{
"id": "verification-uuid",
"status": "Passed",
"totalPackages": 247,
"violatingPackages": 0,
"processingTimeMs": 3420
}Dependo is designed from the ground up for enterprise security requirements, with multi-tenancy isolation, encrypted credential storage, and comprehensive audit logging.
Registry credentials and API keys encrypted at rest
Account-scoped data with validated ownership checks
50+ event types, 14 action categories for SOC 2 compliance
Automatic failover and cached fallback during outages
SHA256: e3b0c44298fc1c149af...
Choose the deployment model that fits your organization's security requirements, compliance needs, and operational preferences.
Managed service with zero infrastructure overhead
Teams wanting fast deployment, minimal ops burden, and predictable costs.
Full control in your own infrastructure
Organizations with strict data residency requirements or existing infrastructure.
Dependo supports 10 major package ecosystems: NPM (JavaScript), NuGet (.NET), Maven (Java), PyPI (Python), Go modules, Cargo (Rust), RubyGems (Ruby), Composer (PHP), Gradle (Java/Kotlin), and Poetry (Python). NPM and NuGet have full production support including private registry integration. All ecosystems support vulnerability scanning, license detection, and SBOM generation.
Install the Dependo CLI (npm install -g @dependo/cli) and run dependo verify --wait in your pipeline. The CLI auto-detects manifest files, reads git context, and returns proper exit codes. GitHub Actions, Azure DevOps, GitLab CI, Jenkins, and CircleCI examples are all documented. Integration takes under 5 minutes.
Dependo queries the National Vulnerability Database (NVD) and GitHub Security Advisories (GHSA) in real-time. Results are cached for 24 hours with intelligent rate limiting to stay within API limits. We use token bucket algorithms to maximize throughput—100 packages can be analyzed in under 2 minutes.
Yes. Include your NuGet.config file as a project file in the verification request. Dependo parses the config, extracts package sources and credentials, encrypts them with AES-256-GCM, and uses them during package resolution. Credentials are isolated per account and never exposed in API responses.
Dependo generates SBOMs in CycloneDX 1.5 (JSON) and SPDX 2.3 (JSON) formats. Both per-repository and organization-wide SBOMs are available. Each SBOM includes a SHA256 hash for integrity verification. Generation happens automatically after verification when enabled in settings.
Most verifications complete in under 5 seconds thanks to parallel worker architecture and aggressive caching. Cache hits return in under 100ms. For uncached packages, vulnerability scanning and enrichment happen concurrently. The fingerprint-based cache provides 60-80% hit rates for identical manifests across repositories.
Blocked packages can trigger an automatic approval workflow. Security teams receive notifications and can approve, reject, or request changes. Once approved, the package is whitelisted for future verifications. You can also configure "StopOnFirstBlockingRule" for fast-fail CI/CD pipelines.
Yes. Dependo is built with enterprise scale in mind: multi-tenant architecture with account isolation, 4-tier role hierarchy (Owner/Admin/Member/Viewer), 9 authorization policies covering 220+ operations, hierarchical rule sets, distributed caching with Redis, and 19 RabbitMQ-based workers for parallel processing. Circuit breakers protect against external API failures.
Dependo verifies package authenticity using Sigstore (for npm provenance), X.509 certificates (NuGet, Maven), and PGP signatures (RubyGems, Composer). You can configure verification levels per ecosystem: None, Basic, Standard, or Strict. Supply chain integrity checks compare lock file hashes against registry metadata to detect tampering.
Be among the first teams to secure your software supply chain with Dependo. Get priority access, direct support, and influence the product roadmap.
Join enterprise teams using Dependo to eliminate vulnerable dependencies before they ship.