DepGraph

DepGraph is a web app (with a lightweight CLI) that continuously maps and enforces your software supply chain risk. It ingests SBOMs from builds, correlates them with known vulnerabilities, maintainer trust signals, license constraints, and “blast radius” (which services import what). Instead of dumping CVE noise, it produces a prioritized, actionable queue: which dependency upgrades actually reduce real risk, which transitive packages are the true culprit, and what breaks if you patch. It adds policy gates for CI/CD (e.g., block releases if a high-exploitability vuln is reachable in production code paths, or if a new dependency is unmaintained). Realistically, it won’t replace SCA giants on day one; it wins by being simpler, faster to adopt, and focused on decision-grade prioritization and governance for small-to-mid teams that are currently drowning in alerts.