Manifest review · no API key

Dependency vulnerability scanner

Paste a package manifest to map its ecosystem, identify review signals, and get the right scanner command and CI starting point.

Offline heuristic only. This page is not a real-time CVE scanner and will never claim a dependency is safe from a pasted file alone.
US volume 40Global volume 220KD 24%CPC $9.87Intent InformationalCompetition 0.55Variants 10

Start with the manifest

Paste package.json, requirements.txt, pom.xml, or go.mod

FAQ

Security tool questions

Does this find CVEs?

No. The MVP parses a manifest locally and flags review signals such as floating versions or URL dependencies. Run npm audit, pip-audit, OWASP Dependency-Check, govulncheck, or OSV-Scanner for advisory data.

Which dependency files are supported?

The first version supports package.json, requirements.txt, pom.xml, and go.mod. Lockfiles are intentionally not parsed as a substitute for a real scanner.

Are pasted files uploaded?

No. Parsing happens in the browser and the page does not send the file to an external API.

Can a clean result be treated as safe?

No. A clean heuristic result only means this page found no supported signal. Use a current scanner, review transitive dependencies, and apply your release policy.