Know what's in your
dependencies before they ship.
Automated supply chain risk analysis for open source packages. Every version scored across five security dimensions — license, maintenance, maintainer integrity, code capabilities, and prompt injection risk.
Five dimensions of risk
Gradient scores from 0–1 across every facet that matters. Not a pass/fail.
Does the package declare a recognized open source license? Missing or non-standard licenses create legal risk.
Is the package actively maintained? Scores release cadence and history to flag abandoned or declining projects.
Who controls the package? Detects maintainer changes, single-publisher risk, and signs of account takeover.
What can the code do? Surfaces eval, system calls, network access, and other capabilities you should know about before shipping.
Does the package try to manipulate AI tools? Detects text designed to hijack coding assistants, review bots, or RAG pipelines.
Integrate in minutes
Two ways to consume analysis — REST API for CI pipelines, MCP for AI coding agents.
REST API
Submit a package manifest from CI. Results are shared globally — if another team checked the same manifest, you get cached results instantly.
- POST a lockfile subset to check
- Digest-based caching eliminates repeat costs
- Block deploys on high-risk scores in CI
MCP Server
Exposed as MCP tools so AI coding agents can query supply chain risk before suggesting or upgrading dependencies. Works with Claude, Cursor, and any MCP-compatible agent.
- check_packages — risk scores, signals, and policy evaluation for 1 to 500 packages
Start analyzing for free
Create an account, generate an API key, and integrate in under five minutes.