§01 Software supply-chain triage

Audit your dependencies. Generate the SBOM. Done.

Drop a lockfile, get a prioritized risk report and a CycloneDX SBOM in 30 seconds. No account, no CLI, no lockfile ever written to disk.

  • package-lock.json
  • yarn.lock · pnpm-lock.yaml
  • requirements.txt · Pipfile.lock
  • go.sum
Scan your lockfile 3 free scans/day · EU CRA ready
§02 The scanner in-memory · zero-retention
🎉 Payment confirmed — your scans have been unlocked.
Checkout cancelled — your free scans are still available.

Drop your lockfile here

or tap to browse — parsed in memory, never written to disk.

package-lock.json · yarn.lock · requirements.txt · go.sum · Pipfile.lock — max 5 MB

Scanning lockfile… 0%
Copied!
Risk Package Version Ecosystem Depth CVEs Max severity
3 free scans today

Lockfile parsed in memory · never written to disk · deleted after scoring

§03 How it works

Three steps from lockfile to compliance-ready SBOM.

  1. i.

    Drop your lockfile

    package-lock.json, yarn.lock, requirements.txt, go.sum, Pipfile.lock — sent over HTTPS, parsed in memory, never written to disk.

  2. ii.

    Get a ranked risk report

    Each package scored by CVE severity × reachability depth × maintainer activity. Critical and direct dependencies surface at the top — not buried in 1,400 entries.

  3. iii.

    Export SBOM for compliance

    Download a CycloneDX 1.5 JSON SBOM ready for your EU CRA, FedRAMP or SOC 2 audit — or a CSV triage list to share with the team.

§04 Why DepTriage

A scanner that respects your time and your lockfile.

01 / Triage

Reachability-aware scoring

We don't dump 1,400 vulns at the same severity. Score blends CVE rating, dependency depth and maintainer signal — so you fix what actually matters first.

02 / Compliance

EU CRA & SBOM-ready

Export CycloneDX 1.5 JSON. Designed for the EU Cyber Resilience Act, US EO 14028 and SOC 2 evidence packs — drop it straight in your audit folder.

03 / Privacy

Lockfile never persisted

Your file is parsed in memory and discarded after scoring. No accounts, no logs, no disk writes — just the report.

04 / Speed

30 seconds, no setup

No CLI to install, no GitHub app to authorize, no enterprise sales call. Paste the lockfile and you have an answer before your coffee cools.

§05 Questions

Frequently asked.

Are my lockfiles stored on your servers?
No. Your lockfile is parsed in memory and discarded after the risk score is computed. Nothing is written to disk or retained.
Which formats do you support?
package-lock.json (npm), yarn.lock, pnpm-lock.yaml, requirements.txt (Python), Pipfile.lock and go.sum.
Can I use this via API?
A REST API is coming soon. If you need it urgently, contact us — we can arrange early access.
What happens after I use 3 free scans?
You'll see a paywall. You can purchase 50 scan credits for $9 (one-time, never expire) or subscribe to Unlimited for $29/month. Payment is handled securely by Stripe.
Is the SBOM compliant with the EU Cyber Resilience Act?
Yes — DepTriage exports CycloneDX 1.5, the format explicitly accepted by EU CRA guidance. Each export contains the dependency graph, package URLs, and CVE references required for a compliant SBOM submission.

§06 Pricing

Start free. Upgrade when you need more.

Free
$0
forever
  • 3 scans per day · max 500 packages
  • All lockfile formats
  • CycloneDX 1.5 SBOM export
  • No account required
Start free
Most popular
Pro · 50 credits
$9
one-time · never expire
  • 50 scans · never expire · 5,000 packages each
  • All lockfile formats
  • Full CycloneDX 1.5 SBOM export
  • No subscription, no auto-renew
Unlimited
$29/mo
cancel anytime
  • Unlimited scans · email reports
  • All lockfile formats
  • Full CycloneDX 1.5 SBOM export
  • Priority support

Payments processed securely by Stripe. We never store card details.