SecuDep · Software composition analysis

Know every dependency you ship

Complete dependency graphs, license intelligence, and vulnerability matching across your ecosystems - resolved locally, matched against a signed offline database, and emitted as standards-compliant SBOMs.

$ secudep scan ./app
lockfiles resolved 6 · ecosystems 4
components 1,842 · direct 214
critical · known exploited dependency found
sbom written · cyclonedx 1.6
✓ complete graph, resolved offline
How it works
01
Point it at your project
Manifests, lockfiles, and vendored code across your ecosystems, resolved without touching a registry.
02
Match offline
Vulnerabilities, exploited-in-the-wild flags, and licenses matched against a signed vulnerability bundle you update on your schedule.
03
Ship the SBOM
Standards-compliant CycloneDX output with a full dependency graph, ready for customers, auditors, and BOMNexa.
Why teams choose SecuDep
Complete dependency graphs
Direct and transitive dependencies with full paths, so you know how every component got in.
License intelligence
SPDX-aware license classification, including compound and vendored notices, for real compliance decisions.
Signed offline vulnerability data
A cryptographically signed data bundle brings the CVE world to your airgap. You control when it updates.
Prioritization that reflects reality
Exploited-in-the-wild and exploit-likelihood signals ride with each finding, so teams fix what attackers use.
Frequently asked questions
How does vulnerability matching work without internet?

SecuDep matches your dependency inventory against a signed, versioned vulnerability bundle that you import on your own schedule. Every report records which bundle it was evaluated against, so results are reproducible.

Which SBOM formats does it produce?

CycloneDX 1.6 with a complete, non-deduplicated dependency graph. The output is designed to be consumed by dashboards, auditors, and downstream tooling.

What if a project has no lockfile?

SecuDep can resolve dependencies even when lockfiles are missing, so legacy and inherited codebases still get a complete inventory.

See SecuDep run on your own code, in your own network.
Request a demo