Dependency Scanning
Dependency scanning (also called Software Composition Analysis or SCA) is the process of automatically checking every package your project uses against databases of known vulnerabilities. Given that a typical application has hundreds of dependencies, manual checking is impractical — dependency scanning tools automate this and flag packages with known CVEs.
What dependency scanning checks
Basic dependency scanning checks your package versions against CVE databases. More advanced tools also check for:
- CISA KEV status — is this CVE actively being exploited?
- Transitive dependencies — vulnerabilities in packages your dependencies use
- Supply chain risks — typosquatting, zombie packages, malicious scripts
- License compliance — GPL packages that might affect your license
- Deprecation — packages that are no longer maintained
When to scan
The answer is: always. The three most useful integration points are:
- In CI/CD — block deploys if critical CVEs are found (see GitHub Actions guide)
- In pre-commit hooks — catch vulnerabilities before they enter your git history (see pre-commit guide)
- Manually — before adding a new dependency, paste its manifest into PackageFix and check its CVE history
How PackageFix fits in
PackageFix is a manual, browser-based dependency scanner — paste your manifest, get results immediately. It's complementary to automated tools like Dependabot (which opens PRs automatically) or OSV Scanner (which runs in CI). Use PackageFix when you need a quick one-off check, want to see the CISA KEV status, or need a downloadable fixed manifest rather than just a report.
Check your dependencies for CVEs, CISA KEV entries, and supply chain risks.
Open PackageFix →Free · No signup · No CLI · Runs in your browser