Spinnaker RCE research
Software Composition Analysis

Dependency security that thinks

Inventory is table stakes. ZeroPath ranks every dependency CVE by whether your code reaches it, whether it's being exploited in the wild, and how likely it is to be, then opens the upgrade PR.

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
70%

Noise reduction with exploitability analysis

35+

Package ecosystems supported

Daily

KEV + EPSS refresh on every CVE

Comprehensive Package Coverage

Scan dependencies across all major package ecosystems with deep vulnerability intelligence

npm/yarn/pnpm

PyPI/pip

Maven/Gradle

Go Modules

Cargo/crates.io

NuGet

Composer

Docker/OCI

Comprehensive Coverage

Exploitability Analysis

Determine which vulnerabilities your code actually uses

  • Usage-Based Risk: Identifies if vulnerable dependencies are actually used in the ways highlighted by CVE descriptions
  • AI-Assessed CVSS 4.0 Scores: Vulnerabilities are ranked by what they mean for your apps, not what the generic severity says
  • Real-time Updates: Stay protected with up-to-date vulnerability intelligence across all package ecosystems
Exploitability Analysis
EXPLOIT INTELLIGENCE

Know what's being exploited, not just what's vulnerable.

Reachability tells you a CVE is exploitable in your code. CISA KEV and FIRST EPSS tell you it's under attack in the wild. ZeroPath enriches every dependency CVE with both, refreshed daily.

  • CISA KEV: findings flagged known-exploited, with the date CISA listed them and a known-ransomware-campaign flag.
  • FIRST EPSS: a 30-day exploit-probability and percentile on every CVE, so you can rank the ones nobody's exploiting yet.
  • Refreshed daily, fail-loud. A feed outage shows a coverage warning instead of silently serving stale intel.
  • Reachable and known-exploited rises to the top of the queue.
Know what's being exploited, not just what's vulnerable.
Real-time Protection

Dependency Management

Focus on vulnerabilities that matter

  • Package Ecosystem Support: npm, PyPI, Maven, RubyGems, NuGet, Go modules, and more
  • Automated Updates: Generate PRs with updated dependency versions
  • SBOM Export: CycloneDX format for supply chain security and compliance
  • Blast radius: before you merge an upgrade, ZeroPath classifies every call site the version bump touches (safe, needs-review, or breaking, riskiest first) so a security patch never becomes a surprise outage.
Dependency Management
Risk Posture

See the shape of your risk, not a pile of CVEs

A dependency scan turns up thousands of CVEs, and most tools stop there. ZeroPath runs them down a funnel, so the top of your queue is the handful that are reachable in your code and actually being exploited.

Every open dependency CVE
The full list, before anything is filtered
Reachable in your code
Your code actually calls the vulnerable path
Likely exploitable
Reachable and validated, or already known-exploited
Known exploited (KEV)
On CISA's active-exploitation list

Each stage is a strict subset of the one above it, so the counts always reconcile.

The SCA risk posture view, narrowing open findings to reachable, likely-exploitable, and known-exploited.
Coverage

Honest about what it couldn't see

A clean report on a half-resolved lockfile is worse than no report at all. ZeroPath shows how much of your dependency tree it actually resolved, and it never calls a manifest clean when it could not read the whole thing.

Resolution coverage

How much of each ecosystem's tree resolved, scan by scan.

Missing lockfile

A manifest with no lockfile is flagged, not quietly skipped.

Unresolved transitives

When the deep tree cannot be fully walked, you see exactly where.

License lookup failed

A license we couldn't fetch is marked unknown, never assumed safe.

The SCA coverage view, with per-ecosystem resolution stats and scan warnings.
Dependency Paths

Know why a package is even in your tree

A vulnerable package you have never heard of is almost always dragged in by one you have. ZeroPath traces it back through the graph to the direct dependency that introduced it, so you know exactly what to bump or replace.

your-appweb-frameworkhttp-clientvulnerable-pkg
The dependency path view, tracing a transitive package back to the direct dependency that pulled it in.

Start Securing Your Supply Chain Today

See how ZeroPath's SCA reduces vulnerability noise by 70% while ensuring nothing critical is missed

Book a Demo
Smart Remediation

End-of-Life Component Detection

Track when components reach end-of-life before they become security risks

  • Operating Systems: Ubuntu, RHEL, CentOS, Debian, Alpine, and container base images
  • Languages & Runtimes: Python, Node.js, Ruby, Java, PHP, Go, .NET version tracking
  • Frameworks & Libraries: Monitor deprecation for Rails, Django, Spring, databases, and dependencies with CVSS 4.0 risk scoring
End-of-Life Component Detection

Complete Stack Monitoring

Track end-of-life status across your entire technology stack

Operating Systems

  • • Ubuntu LTS versions
  • • RHEL & CentOS tracking
  • • Alpine & Debian
  • • Container base images

Languages & Runtimes

  • • Python versions
  • • Node.js releases
  • • Java/JDK support
  • • .NET framework
  • • 35+ languages, frameworks, and technologies

Frameworks & Databases

  • • Rails & Django
  • • Spring versions
  • • PostgreSQL & MySQL
  • • Redis & MongoDB

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization