Free Dependency Scanner — Catch CVEs Before You Ship

At my previous job, our security scanning happened after production deployment.

BlackDuck and Snyk would run as part of the build pipeline, but by the time results came back, the release was already live. Vulnerabilities became overdue tickets. The cycle was: ship → scan → find CVEs → scramble to fix → ship again.

We had Snyk CLI available for local scanning, but getting it set up was a pain — download issues, config problems, never worked reliably for everyone. For Maven we had IntelliJ's dependency tree view which was useful. But for npm or Python? Nothing. No way to see what was hiding in your transitive dependencies before shipping.

The part that bothered me most: transitive dependencies. The packages you never installed directly but that get pulled in by your packages. That's where Log4Shell hid. That's where most real vulnerabilities live. None of the free tools we had showed the full picture.

So I built DepAnalyzer.