Spinnaker RCE research
Use Case

Software Supply Chain Security

Full-stack visibility, minus the noise. Protect your software supply chain with reachability analysis that cuts alert volume by 70%.

Software Supply Chain Security

Additional information provided by the ZeroPath AI about an RCE it found, stemming from a bad package version.



The Challenge

Sonatype's ten-year retrospective shows supply-chain attacks doubling again in 2024. Conventional Software Composition Analysis tools generate mountains of unreachable CVE alerts, overwhelming security teams and delaying critical upgrades.

Common Pain Points & How ZeroPath Solves Them

Pain PointHow ZeroPath Solves It
Alert overload
Thousands of CVEs, most never executed
Reachability analysis
Only flags libraries actually invoked by your code
Unmaintained dependencies
74% of projects use abandoned packages
End-of-life detection
Identifies packages without active maintainers
License compliance risk
Manual tracking of OSS licenses
Built-in compliance
Automated license scanning with CycloneDX SBOMs
Cross-tool blind spots
Secrets in dependencies go undetected
Unified analysis
Correlates secrets, IaC misconfigs, and vulnerable deps

How it Works

1. Discover

Map your entire dependency tree including transitive dependencies

2. Analyze

Call-graph analysis identifies which code paths are actually reachable

3. Prioritize

Focus on what's reachable in your execution paths, then rank by CISA KEV active-exploitation and FIRST EPSS likelihood. Reachable + known-exploited is your top priority. Not-reachable, low-EPSS, no-KEV can wait.

4. Remediate

AI-suggested upgrades that won't break your application

Key Capabilities

Reachability-First Analysis

  • Call-graph walking to trace actual code execution
  • 70% alert reduction compared to traditional SCA
  • Function-level precision for vulnerability assessment
  • Cross-language support for polyglot applications

Supply Chain Intelligence

  • End-of-life detection for abandoned packages
  • Maintainer analysis to assess project health
  • Update velocity tracking for security responsiveness
  • Fork detection to identify unofficial versions
  • AI Inventory records the AI in your code (17 component kinds spanning LLM SDKs, agent frameworks, MCP servers, and model files) on the scans you already run

Compliance & Governance

  • License compatibility checking across dependencies
  • CycloneDX SBOM generation with one click
  • Export to VEX for vulnerability exchange
  • Reachability-aware CycloneDX VEX with each component's analysis state derived from whether your code reaches the vulnerable symbol
  • AI-BOM a standards-format CycloneDX AI-BOM alongside your SBOM. The AI-native bill of materials for the models, datasets, and AI SDKs your software ships
  • Policy enforcement for approved package lists

Unified Risk View

  • Secrets in dependencies detection and correlation
  • IaC misconfigurations that amplify supply chain risk
  • Reachability tracing from a vulnerable dependency to the call sites your code actually reaches, narrowing the list to what's exploitable in your execution paths
  • Business impact scoring based on data sensitivity

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization