OWASP dep-scan: Open-source security and risk audit tool

OWASP dep-scan is an open-source security and risk assessment tool that leverages information on vulnerabilities, advisories, and licensing restrictions for project dependencies. It supports local repositories and container images as input sources, making it suitable for integration with ASPM/VM platforms and use in CI environments.

OWASP dep-scan

OWASP dep-scan features

Caroline Russell, Staff Security Engineer at AppThreat, outlines the most important features:

  • Depscan utilizes cdxgen to produce Software Bill-of-Materials (SBOMs), which allows us to support many different languages and source code configurations
  • It offers result exports into customizable Jinja reports as well as JSON documents in a couple of standards, including: CycloneDx Vulnerability Disclosure Report (VDR) and Common Security Advisory Framework (CSAF) 2.0
  • Reachability analysis, that uses AppThreat/atom to create slices of the source code
  • Deep packages risk audit for dependency confusion attacks and maintenance risks

Vulnerability data sources:

  • OSV
  • NVD
  • GitHub
  • NPM
  • Linux vuln-list (Use –cache-os)

Future development and download

Russell told us that the team is working towards OWASP dep-scan 6.0 which they intend to release near the end of the year. Upcoming features include:

  • A faster backend database for querying vulnerabilities
  • BLint integration
  • User configuration settings: pertaining to automatic updates of the backend threat database, and user-defined scan exclusions

OWASP dep-scan is available for free on GitHub.

Must read:

Don't miss