Software Composition Analysis

Know which vulnerable dependencies actually need fixing.

Most projects carry hundreds of vulnerable packages. Most of them don't matter right now. Lumstep uses OSV-Scanner against the OSV and NVD databases, then enriches every finding with CISA KEV flags and EPSS scores - so you know which CVEs are being actively exploited and how likely yours is to be targeted. The result is a ranked list that tells you what to fix this sprint, not just what's technically flagged. For fixable findings, Lumstep opens the pull request.

lodash@4.17.20
CriticalKEV
Prototype pollution - remote code execution via crafted payload
axios@0.21.1
High
SSRF vulnerability - insufficient URL validation
minimist@1.2.5
Medium
Prototype pollution - argument parsing bypass

Software Composition Analysis

How Lumstep's dependency scanning works

No manifest editing required - Lumstep reads your existing dependency graph and handles the rest.

Detection sources
OSV DatabaseOpen source vulnerability database
Checked
NVDNational Vulnerability Database
Checked
CISA KEVKnown Exploited Vulnerabilities
Enriched
EPSSExploit prediction score
Enriched
Sources cross-referenced4 of 4 active →
On every push

Full dependency tree analysis

On every push, Lumstep resolves your complete dependency graph - direct and transitive - and checks every package against the OSV and NVD databases.

express@4.17.1
High
Direct dependency - open redirect in query parsing
qs@6.5.2
Medium
Transitive dependency (via express) - prototype pollution
Automatically

Enrichment with threat intelligence

Each CVE is matched against the CISA KEV list and assigned an EPSS score, then ranked by a combination of exploitability, direct vs. transitive depth, and severity.

Enrichment signals
CISA KEV flagConfirms active exploitation in the wild
Applied
EPSS scoreProbability of exploitation in 30 days
Applied
Dependency depthDirect vs. transitive weighting
Applied
Ranking signals3 factors combined →
Instantly

Fix PR or dashboard alert

For findings with a clean upgrade path, Lumstep opens a pull request automatically. For everything else, findings are ranked in your dashboard with context on why each one matters.

Outcome per finding
lodash 4.17.20Clean upgrade path to 4.17.21
PR opened
axios 0.21.1Breaking upgrade to 1.7.4
Dashboard alert
This scan1 PR opened, 1 flagged →
Ranked results, not an endless list

Prioritized by real-world risk

Every finding is cross-referenced against CISA's Known Exploited Vulnerabilities list and weighted by EPSS (the probability a CVE gets exploited in the next 30 days). A direct dependency with a KEV flag surfaces at the top. A transitive dependency with a 0.1% EPSS score does not.

Priority ranking
lodash 4.17.20Direct · KEV flagged · EPSS 94%
Fix now
minimist 1.2.5Transitive · no KEV · EPSS 0.1%
Low priority
Ranked byKEV, EPSS, depth →
Ranked results, not an endless list

Fix PRs opened automatically

When a vulnerable dependency has a safe upgrade path, Lumstep calculates the version bump and opens a pull request with the diff and the reasoning behind the version choice. You review and merge - nothing is applied automatically.

Pull request contents
Version diffpackage.json and lockfile updated
Included
ReasoningWhy this version was chosen
Included
You review, you mergeNothing auto-applied →
Ranked results, not an endless list

Seven ecosystems covered

npm, pip/Poetry, Maven/Gradle, Go modules, Cargo, NuGet, and RubyGems are all supported. One scan covers your full stack, including polyglot monorepos.

Ecosystem coverage
npm / pip / PoetryJavaScript & Python
Supported
Maven / GradleJava & Kotlin
Supported
Go modules / CargoGo & Rust
Supported
NuGet / RubyGems.NET & Ruby
Supported
Ecosystems7 of 7 covered →
Ranked results, not an endless list

Continuous monitoring on every commit

Scans trigger on every push - no scheduled jobs to configure, no lag between a commit and detection of a newly introduced vulnerability.

Scan cadence
Scheduled jobsNot required
None needed
TriggerEvery push, every branch
Automatic
Detection lag0 - scans on push →

See which of your dependencies are at risk.

Free early access. Automatic fix PRs available from your first scan.

Get early access