Software Composition Analysis

Know every dependency.
Fix every vulnerability.

Your application is 80% open source code. codelake tracks every package, every version, every known vulnerability.

From direct dependencies to deeply nested transitive packages, codelake's SCA engine continuously monitors your supply chain against the National Vulnerability Database, GitHub Advisory Database, and proprietary threat intelligence feeds.

Scan your dependencies free Try FreeScan first
codelake scan --sca .

$ codelake scan --sca .

 

▸ Dependency analysis running...

  Found package.json, composer.json, requirements.txt

  Resolving 847 direct + 3,219 transitive dependencies...

  Checking against NVD, GitHub Advisories, OSV...

 

CRITICAL  lodash@4.17.20 — CVE-2021-23337

  ↳ Prototype pollution · Fix: upgrade to 4.17.21

CRITICAL  log4j-core@2.14.1 — CVE-2021-44228

  ↳ Remote code execution · Fix: upgrade to 2.17.1

HIGH     axios@0.21.1 — CVE-2021-3749

  ↳ ReDoS vulnerability · Fix: upgrade to 0.21.2

 

✓ 4,066 packages · 12 vulnerable · 3 critical · 5 high

✓ Auto-fix available for 10 of 12 findings

How It Works

Complete supply chain visibility in four steps.

codelake doesn't just check your direct dependencies — it resolves the entire dependency tree and continuously monitors for new vulnerabilities.

inventory_2
Step 1

Discover Manifests

Automatically detects all package manifests and lock files across your repository — package.json, composer.lock, Pipfile.lock, go.sum, and more.

account_tree
Step 2

Resolve Tree

Resolves the complete dependency tree including transitive dependencies. Identifies duplicate packages, version conflicts, and phantom dependencies.

policy
Step 3

Match Vulnerabilities

Every package version is checked against NVD, GitHub Advisory Database, OSV, and codelake's proprietary intelligence for known CVEs.

auto_fix
Step 4

Recommend Fixes

Generates upgrade paths with breaking change analysis. Tells you the minimum safe version and whether the upgrade is compatible with your constraints.

Supported Ecosystems

Every package manager. Every lock file.

codelake supports all major package ecosystems out of the box — with automatic detection and zero configuration required.

npm

npm / Yarn / pnpm

Full support for package.json, package-lock.json, yarn.lock, and pnpm-lock.yaml. Resolves workspaces and monorepo structures.

2.1M+ packages tracked

PY

pip / Poetry / Pipenv

Supports requirements.txt, Pipfile.lock, poetry.lock, and pyproject.toml. Handles virtual environments and conditional dependencies.

450K+ packages tracked

PHP

Composer

Full composer.json and composer.lock support. Resolves platform requirements and PHP version constraints for accurate matching.

380K+ packages tracked

GO

Go Modules

Parses go.mod and go.sum files. Understands Go's minimal version selection and handles replace directives correctly.

200K+ modules tracked

RB

RubyGems / Bundler

Supports Gemfile and Gemfile.lock. Resolves platform-specific gems and handles groups (development, test, production).

175K+ gems tracked

JV

Maven / Gradle

Parses pom.xml, build.gradle, and build.gradle.kts. Resolves parent POMs, BOMs, and version catalogs for complete coverage.

550K+ artifacts tracked

Transitive Dependency Analysis

The vulnerability hiding 7 layers deep.

Most vulnerabilities don't live in your direct dependencies — they're buried in transitive packages you've never heard of. codelake traces the full dependency graph to find them.

  • check_circle

    Full dependency tree resolution

    Resolves every transitive dependency down to the leaf — not just one level deep.

  • check_circle

    Dependency path visualization

    See exactly how a vulnerable package ended up in your project: your-app → package-a → package-b → vulnerable-pkg.

  • check_circle

    Reachability analysis

    Not all vulnerabilities are exploitable. codelake checks if your code actually calls the vulnerable function, reducing false positives by up to 70%.

  • check_circle

    Phantom dependency detection

    Identifies packages that are used in code but missing from manifests — a common source of build failures and version drift.

Dependency Path to Vulnerability

1

your-app

Direct dependency

2

express@4.17.1

Direct dependency in package.json

3

qs@6.7.0

Transitive via express

!

minimist@0.2.1

CVE-2021-44906 · Prototype Pollution

Auto-Upgrade Report

Upgrade Recommendations

 

lodash 4.17.20 → 4.17.21

  Patch upgrade · No breaking changes

axios 0.21.1 → 0.21.4

  Patch upgrade · No breaking changes

express 4.17.1 → 4.18.2

  Minor upgrade · 2 deprecation warnings

webpack 4.46.0 → 5.89.0

  Major upgrade · 14 breaking changes

 

✓ Auto-PR available for 3 safe upgrades

Auto Upgrade Recommendations

Fix vulnerabilities with one click.

codelake doesn't just find vulnerabilities — it tells you exactly how to fix them, with breaking change analysis so you can upgrade with confidence.

  • check_circle

    Minimum safe version calculation

    Shows the smallest version bump needed to fix the vulnerability — minimizing upgrade risk.

  • check_circle

    Breaking change analysis

    Flags breaking changes, deprecations, and API differences between your current and target version.

  • check_circle

    Auto-generated pull requests

    For safe patch upgrades, codelake can automatically create a PR with updated lock files — ready to merge.

  • check_circle

    License compliance checking

    Flags incompatible licenses (GPL in proprietary codebases), license changes between versions, and missing license declarations.

Continuous Monitoring

New CVE published? You'll know in minutes.

Dependencies don't become vulnerable only when you scan. codelake continuously monitors your Software Bill of Materials against newly published CVEs and alerts you the moment a new vulnerability affects your stack.

notifications_active

Real-time Alerts

Get notified via Slack, email, or webhook within minutes of a new CVE affecting your dependencies — not days later during the next scan.

receipt_long

SBOM Generation

Export your complete Software Bill of Materials in CycloneDX or SPDX format for compliance, auditing, and supply chain transparency.

trending_up

Dependency Health Score

Each dependency gets a health score based on maintenance activity, vulnerability history, popularity, and license compatibility.

Secure your supply chain before it's exploited.

Start scanning your dependencies in under 2 minutes. Continuous monitoring included on all plans. No credit card required.

Start free — scan dependencies now View pricing