Dependency Inventory
The /dependencies page is the organization-wide inventory of every package detected by SCA scans — a living index, updated on every scan, deduplicated across projects.
The inventory table
Section titled “The inventory table”| Column | Meaning |
|---|---|
| Package | The package name. |
| Ecosystem | PyPI, npm, Go, crates.io, RubyGems, Maven, Packagist, NuGet, and others. |
| Version(s) | The versions in use, and how many distinct versions exist across projects. |
| Vulnerabilities | Count of known vulnerabilities affecting the versions in use. |
| Projects | How many projects depend on the package. |
| CVEs | Distinct CVE identifiers across those vulnerabilities. |
Search and filters
Section titled “Search and filters”| Control | Effect |
|---|---|
| Search | Match by package name. |
| Ecosystem | Limit to one package ecosystem. |
| Vulnerable only | Hide packages with no known vulnerabilities. |
Package detail
Section titled “Package detail”Click a package to open its detail panel:
- Where it’s used — the projects, branches, and manifest files that pull it in.
- Vulnerabilities — each advisory affecting the versions you run.
- License — the declared license.
- Direct vs. transitive — whether your code depends on the package directly, or it was pulled in by another dependency.
- CVE alerts — any matching alerts from CVE Watch.
Direct vs. transitive
Section titled “Direct vs. transitive”A direct dependency is one your manifest names explicitly; a transitive dependency is pulled in by another package. The distinction matters for remediation — a transitive vulnerability is usually fixed by upgrading the direct dependency that brought it in, not by editing your manifest.
Exporting
Section titled “Exporting”- Export CSV — every package matching the active filters.
- Export SBOM — the whole org inventory as CycloneDX or SPDX JSON.
See Exports for schemas. A single project’s SBOM is exported from its Project Detail Dependencies tab.