Manifest review · no API key
Dependency vulnerability scanner
Paste a package manifest to map its ecosystem, identify review signals, and get the right scanner command and CI starting point.
Start with the manifest
Paste package.json, requirements.txt, pom.xml, or go.mod
Related developer tools
Continue with authorized security and agent tooling research
FAQ
Security tool questions
Does this find CVEs?
No. The MVP parses a manifest locally and flags review signals such as floating versions or URL dependencies. Run npm audit, pip-audit, OWASP Dependency-Check, govulncheck, or OSV-Scanner for advisory data.
Which dependency files are supported?
The first version supports package.json, requirements.txt, pom.xml, and go.mod. Lockfiles are intentionally not parsed as a substitute for a real scanner.
Are pasted files uploaded?
No. Parsing happens in the browser and the page does not send the file to an external API.
Can a clean result be treated as safe?
No. A clean heuristic result only means this page found no supported signal. Use a current scanner, review transitive dependencies, and apply your release policy.