Security check

Vulnerable dependencies: know which ones can actually hit you

Most dependency alerts are noise. We run dependency audit on your lockfiles and surface the most serious ones β€” so you fix the right things first.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” supply-chain security ISO 27001 Β· A.8.8 technical vulnerabilities PCI DSS Β· requirement 6

What we check

We read your lockfiles and run dependency audit (pip-audit for Python, npm audit for JS/TS) against known vulnerability databases (incl. OSV). Exploitability prioritisation β€” CISA KEV (proven exploited) and EPSS (probability) β€” is provided via our Threat Radar module for customers who have it.

Why it matters

A CVSS 9.8 dependency alert in a build tool that never runs in production is not the same as an actively exploited vulnerability in an internet-facing service. NIS2 requires supply-chain security β€” but only with correct prioritisation does the work become doable.

How Security Guru tests it

Common mistakes

  • Chasing every high-CVSS alert regardless of reachability β€” exhausts the team
  • Dependabot PRs no one reviews pile up unopened
  • No view of transitive dependencies (that's usually where they sit)
  • Pinned versions never updated 'so nothing breaks'

What you get in the report

  • Vulnerable dependencies ranked by actual exploitability
  • KEV hits (proven exploited) flagged separately
  • Fix version per dependency and whether the update is breaking
  • Mapping to NIS2 supply chain / ISO A.8.8

FAQ

Do you distinguish prod from dev?

Yes. Build and dev dependencies are de-escalated since they aren't a running attack surface β€” that removes a large part of the noise.

What is KEV?

CISA's Known Exploited Vulnerabilities β€” vulnerabilities proven to be exploited in the wild. They're always prioritised highest.

Does it replace Dependabot?

No, it complements it. We add exploitability-based prioritisation on top of raw alerts so the list becomes doable.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan