Find vulnerable dependencies — most of your risk lives in code you didn't write.
The overwhelming majority of vulnerabilities live in transitive dependencies — code your team never wrote. Connect a repository and heimdallX parses your manifests, queries the OSV database, and turns every vulnerable package into a finding, complete with CVE references that flow into the Validation Core for EPSS/KEV enrichment. A raw SBOM gives you the full component inventory.
Modern apps are mostly dependencies, and most of those are transitive — pulled in by the packages you chose. heimdallX reads npm (package.json) and PyPI (requirements.txt) manifests so the components you actually ship are the ones under analysis.
Each manifest is checked against OSV via a batched query, then bounded advisory lookups pull the detail — CVE aliases and severity. Every vulnerable package becomes a "Vulnerable Dependency" finding whose CVE references flow straight into the Validation Core for KEV and EPSS enrichment.
Dependency findings are mapped to the controls auditors ask about — OWASP A06 (Vulnerable & Outdated Components), PCI-DSS 6.3.3 and ISO 27001 A.8.8 — so software composition risk lands in your compliance posture automatically.
Read npm and PyPI dependency manifests.
Batch-query the OSV vulnerability database.
Pull advisory CVE aliases and severity.
Emit findings + SBOM; CVEs → Validation Core.
package.json → lodash 4.17.11→ OSV advisory: prototype pollutionalias CVE-2020-28500 · EPSS 0.07→ mapped: OWASP A06 · PCI 6.3.3 · ISO A.8.8
Stop chasing severity. Rank by what's actually exploitable — EPSS probability, CISA KEV, and proven reachability.
Learn more →Confirm vulnerabilities by safely triggering them — reflected XSS, error-based SQLi and open redirects, proven not guessed.
Learn more →See findings the way an adversary chains them — mapped to MITRE ATT&CK tactics and techniques.
Learn more →Run your first scan in under two minutes. Free, no credit card, real findings.
Launch heimdallX