Tool · Free, no signup

SBOM & Dependency Scanner

Drop in a lockfile or SBOM. Get matched CVEs with KEV and EPSS context in seconds. Files are parsed entirely in your browser.

Stays in your browser

Files are parsed locally. We only send package names + versions to our matching API — never the file itself, never source code, never secrets.

11 manifest formats

Lockfiles, manifests, and standardised SBOMs across npm, PyPI, Maven, Go, RubyGems, and Cargo. Mixed-ecosystem SBOMs work too.

KEV + EPSS context

Every match is enriched with CISA Known Exploited Vulnerabilities status and FIRST EPSS exploit-probability scores so you can prioritise fast.

Ticket-ready output

Export bulk Jira or ServiceNow ticket text with one click. CSV and PDF reports for stakeholders are one click further.

Supported formats

package-lock.jsonnpm
package.jsonnpm
requirements.txtPyPI
Pipfile.lockPyPI
poetry.lockPyPI
pom.xmlMaven
Gemfile.lockRubyGems
go.modGo
Cargo.lockcrates.io
CycloneDX SBOMmulti
SPDX SBOMmulti

Your file stays on your device. It's parsed in your browser — only package names and versions are sent to our API to look up CVEs. File paths, author info, registry URLs and checksums never leave your device.

We don't log, store or share your manifest server-side. Scan results are cached only in your own browser (localStorage) so you can come back to them — use Clear scan to delete that copy.

Drop a manifest here

package.json, package-lock.json, requirements.txt, Pipfile.lock, poetry.lock, pom.xml, go.mod, Gemfile.lock, Cargo.lock, CycloneDX, SPDX

Or paste file contentspasted.txt

Include dev / optional dependencies

Got a list of CVE IDs instead?

If you already have CVE identifiers from another tool, the bulk analysis view sorts them by KEV, EPSS, and CVSS in one pass.

Open bulk analysis