Know which vulnerable dependencies actually need fixing.
Most projects carry hundreds of vulnerable packages. Most of them don't matter right now. Lumstep uses OSV-Scanner against the OSV and NVD databases, then enriches every finding with CISA KEV flags and EPSS scores - so you know which CVEs are being actively exploited and how likely yours is to be targeted. The result is a ranked list that tells you what to fix this sprint, not just what's technically flagged. For fixable findings, Lumstep opens the pull request.
How Lumstep's dependency scanning works
No manifest editing required - Lumstep reads your existing dependency graph and handles the rest.
Full dependency tree analysis
On every push, Lumstep resolves your complete dependency graph - direct and transitive - and checks every package against the OSV and NVD databases.
Enrichment with threat intelligence
Each CVE is matched against the CISA KEV list and assigned an EPSS score, then ranked by a combination of exploitability, direct vs. transitive depth, and severity.
Fix PR or dashboard alert
For findings with a clean upgrade path, Lumstep opens a pull request automatically. For everything else, findings are ranked in your dashboard with context on why each one matters.
Prioritized by real-world risk
Every finding is cross-referenced against CISA's Known Exploited Vulnerabilities list and weighted by EPSS (the probability a CVE gets exploited in the next 30 days). A direct dependency with a KEV flag surfaces at the top. A transitive dependency with a 0.1% EPSS score does not.
Fix PRs opened automatically
When a vulnerable dependency has a safe upgrade path, Lumstep calculates the version bump and opens a pull request with the diff and the reasoning behind the version choice. You review and merge - nothing is applied automatically.
Seven ecosystems covered
npm, pip/Poetry, Maven/Gradle, Go modules, Cargo, NuGet, and RubyGems are all supported. One scan covers your full stack, including polyglot monorepos.
Continuous monitoring on every commit
Scans trigger on every push - no scheduled jobs to configure, no lag between a commit and detection of a newly introduced vulnerability.
See which of your dependencies are at risk.
Free early access. Automatic fix PRs available from your first scan.