Find answers to common questions, explore our documentation, and learn how to use Dependo effectively.
Learn the basics of setting up and using Dependo for package governance.
Integrate Dependo with your continuous integration pipelines.
Configure rules to enforce your package governance policies.
Get help from the Dependo team and community.
Get up and running with Dependo in minutes.
Sign up for Dependo and create your organization. Once registered, you'll have access to the dashboard where you can manage repositories, rule sets, and team members.
Create rule sets that define your package governance policies. Configure vulnerability thresholds, license allowlists, and approval workflows.
// Block critical vulnerabilities
{
"type": "vulnerability",
"severity": "critical",
"action": "block"
}Navigate to Integrations > API Keys to generate an API key for your CI/CD pipeline. API keys can be scoped to specific repositories for security.
Add Dependo verification to your CI/CD pipeline. Submit your manifest files and Dependo will evaluate them against your rule sets.
View CI/CD integration guidesA verification is a single evaluation of your project's dependencies against configured rule sets.
Collections of rules that define your package governance policies. Assign different rule sets to different repositories.
When packages violate rules, they can be routed through approval workflows for exception handling.
Software Bill of Materials automatically generated in CycloneDX or SPDX format for compliance.
Add dependency verification to your existing CI/CD workflows.
Add Dependo verification to your GitHub Actions workflow with this example configuration.
name: Dependency Verification
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
verify-dependencies:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Read manifest files
id: manifests
run: |
# Base64 encode manifest files
PACKAGE_LOCK=$(base64 -w 0 package-lock.json)
echo "package_lock=$PACKAGE_LOCK" >> $GITHUB_OUTPUT
- name: Verify with Dependo
run: |
RESPONSE=$(curl -s -X POST \
-H "X-API-Key: ${{ secrets.DEPENDO_API_KEY }}" \
-H "Content-Type: application/json" \
-d '{
"repositoryName": "${{ github.repository }}",
"branch": "${{ github.ref_name }}",
"commitHash": "${{ github.sha }}",
"projectFiles": [{
"fileName": "package-lock.json",
"filePath": "./package-lock.json",
"content": "${{ steps.manifests.outputs.package_lock }}"
}],
"ruleSetIds": ["your-ruleset-id"]
}' \
https://api.dependo.io/v1/package-gate/verify)
STATUS=$(echo $RESPONSE | jq -r '.status')
echo "Verification status: $STATUS"
if [[ "$STATUS" == "Rejected" ]]; then
echo "::error::Dependency verification failed"
echo $RESPONSE | jq '.violations'
exit 1
fiDEPENDO_API_KEYyour-ruleset-id with your actual rule set UUIDIntegrate Dependo verification into your Azure Pipelines.
trigger:
- main
- develop
pool:
vmImage: 'ubuntu-latest'
variables:
- group: dependo-credentials
stages:
- stage: Verify
displayName: 'Dependency Verification'
jobs:
- job: VerifyDependencies
steps:
- task: Bash@3
displayName: 'Submit to Dependo'
inputs:
targetType: 'inline'
script: |
# Base64 encode manifest
MANIFEST=$(base64 -w 0 package-lock.json)
# Submit verification
RESPONSE=$(curl -s -X POST \
-H "X-API-Key: $(DEPENDO_API_KEY)" \
-H "Content-Type: application/json" \
-d "{
\"repositoryName\": \"$(Build.Repository.Name)\",
\"branch\": \"$(Build.SourceBranchName)\",
\"commitHash\": \"$(Build.SourceVersion)\",
\"buildNumber\": \"$(Build.BuildNumber)\",
\"projectFiles\": [{
\"fileName\": \"package-lock.json\",
\"content\": \"$MANIFEST\"
}]
}" \
https://api.dependo.io/v1/package-gate/verify)
STATUS=$(echo $RESPONSE | jq -r '.status')
if [[ "$STATUS" == "Rejected" || "$STATUS" == "Failed" ]]; then
echo "##vso[task.logissue type=error]Verification failed"
exit 1
fidependo-credentialsDEPENDO_API_KEY with your API keyUse the REST API directly for custom integrations or unsupported CI/CD platforms.
/api/v1/package-gate/verify
Submit a package verification request.
{
"repositoryName": "myorg/myrepo",
"branch": "main",
"commitHash": "abc123def456...",
"buildNumber": "build-123",
"projectFiles": [
{
"fileName": "package-lock.json",
"filePath": "./package-lock.json",
"content": "<base64-encoded-content>"
}
],
"ruleSetIds": [
"550e8400-e29b-41d4-a716-446655440000"
]
}{
"id": "verification-uuid",
"status": "Passed",
"totalPackages": 247,
"violatingPackages": 0,
"processingTimeMs": 3420,
"violations": []
}200
Verification completed successfully
400
Invalid request body or missing required fields
401
Invalid or missing API key
403
API key doesn't have access to specified resources
Define policies that match your organization's security and compliance requirements.
Block packages with known CVEs based on severity thresholds.
Enforce license compliance with allowlists and blocklists.
Detect and block deprecated packages before they cause issues.
Verify package maintainers meet trust criteria.
Require cryptographic signatures for package verification.
Verify package integrity against registry checksums.
Each rule set provides advanced configuration options:
Navigate to Rules in the sidebar, click Create Rule Set, and follow the wizard. Start with a template (e.g., "Security Focused" or "Compliance") and customize the rules to match your requirements. Each rule set can contain multiple rules of different types.
Dependo supports 8 ecosystems: NPM and NuGet have full production support including private registries. Maven, PyPI, Go, Cargo, RubyGems, and Composer are supported for vulnerability scanning, license detection, and SBOM generation.
Generate an API key from Integrations > API Keys, then use our REST API to submit package verifications from your pipeline. We provide examples for GitHub Actions and Azure DevOps. Integration typically takes under 10 minutes.
Dependo queries the National Vulnerability Database (NVD) and GitHub Security Advisories (GHSA) in real-time. Results are cached for 24 hours. We use intelligent rate limiting to maximize throughput while staying within API limits.
Yes! Include your NuGet.config file as a project file in the verification request. Dependo parses the config, extracts credentials, and encrypts them with AES-256-GCM. Credentials are isolated per account and never exposed in API responses.
Dependo generates SBOMs in CycloneDX 1.5 and SPDX 2.3 JSON formats. Both per-repository and organization-wide SBOMs are available. Each SBOM includes a SHA256 hash for integrity verification. Enable automatic generation in Settings.
Most verifications complete in under 5 seconds thanks to parallel processing and aggressive caching. Cache hits return in under 100ms. Fingerprint-based caching provides 60-80% hit rates for identical manifests across repositories.
Blocked packages can trigger an automatic approval workflow. Security teams receive notifications and can approve, reject, or request changes. Approved packages are whitelisted for future verifications. Configure "StopOnFirstBlockingRule" for fast-fail pipelines.
Can't find what you're looking for? Reach out to the Dependo team.
Get help from our team via email. We respond within 24 hours.
support@dependo.ioFound a bug? Report it on GitHub and we'll investigate.
Open GitHub IssuesHave an idea? Share it in GitHub Discussions.
Join DiscussionsJoin our early access program for priority support and direct Slack access.
Get Early AccessOur team is here to help you get started with Dependo and secure your software supply chain.