DepTruE scans every repository and pull request for vulnerabilities, secrets, and IaC misconfigurations — and can block risky PRs before they ever merge.
$ deptrue scan --repo my-org/backend ✔ Connected to GitHub · my-org/backend ✔ Scanning 1,248 dependencies... ✖ CRITICAL CVE-2024-3094 [email protected] CVSS 9.8 ⚠ HIGH CVE-2024-1234 [email protected] CVSS 7.5 ⚠ HIGH SECRET FOUND .env.production API_KEY leaked → IaC: 3 misconfigurations in terraform/main.tf ──────────────────────────────────────── 2 Critical 3 High 5 Medium PR #204 BLOCKED
Works with your existing workflow
DepTruE gives security teams and developers full visibility into risk — without slowing down shipping.
Continuously scan all dependencies across your repos against 12M+ CVEs from NVD, GitHub Advisory, and OSV. Get CVSS scores, exploitability context, and fix guidance instantly.
Scan every pull request the moment it opens. Block merges automatically when critical issues are found, with inline comments pointing developers to the exact problem.
Catch leaked API keys, tokens, credentials, and private certificates before they reach your default branch. 500+ pattern rules out of the box.
Detect misconfigurations in Terraform, CloudFormation, Kubernetes, Helm, and Dockerfiles. Map findings to CIS benchmarks and compliance frameworks.
Developers see vulnerability details and fix suggestions directly in the PR diff — no need to leave GitHub, GitLab, or Bitbucket.
Get a real-time security posture view across all connected repositories. Track MTTR, SLA compliance, and trend data. Export reports for audits and compliance reviews.
No agents to deploy. No code changes needed. Connect your SCM and start scanning.
Authorize DepTruE on GitHub, GitLab, or Bitbucket with a single OAuth flow. Select the organizations and repositories you want to monitor.
DepTruE immediately scans your full dependency tree, IaC configs, and commit history for secrets. Results appear in your dashboard in under 2 minutes.
Every new pull request is scanned automatically. Critical findings block the merge, while inline comments guide developers to a fix without leaving their workflow.
New CVEs are checked against your inventory daily. Get alerted when a zero-day affects a package you already ship, with an auto-generated fix PR ready to merge.
Open-source libraries across 10+ package ecosystems, including transitive deps.
500+ patterns for API keys, tokens, credentials, SSH keys, and certificates.
Misconfigurations in cloud and container infrastructure before they reach prod.
Every PR scanned on open and push, with blocking rules and inline comments.
Connect your first repository in under 2 minutes. No credit card required.
Or reach us at [email protected]