Skip to content

Dependency Inventory

The /dependencies page is the organization-wide inventory of every package detected by SCA scans — a living index, updated on every scan, deduplicated across projects.

ColumnMeaning
PackageThe package name.
EcosystemPyPI, npm, Go, crates.io, RubyGems, Maven, Packagist, NuGet, and others.
Version(s)The versions in use, and how many distinct versions exist across projects.
VulnerabilitiesCount of known vulnerabilities affecting the versions in use.
ProjectsHow many projects depend on the package.
CVEsDistinct CVE identifiers across those vulnerabilities.
ControlEffect
SearchMatch by package name.
EcosystemLimit to one package ecosystem.
Vulnerable onlyHide packages with no known vulnerabilities.

Click a package to open its detail panel:

  • Where it’s used — the projects, branches, and manifest files that pull it in.
  • Vulnerabilities — each advisory affecting the versions you run.
  • License — the declared license.
  • Direct vs. transitive — whether your code depends on the package directly, or it was pulled in by another dependency.
  • CVE alerts — any matching alerts from CVE Watch.

A direct dependency is one your manifest names explicitly; a transitive dependency is pulled in by another package. The distinction matters for remediation — a transitive vulnerability is usually fixed by upgrading the direct dependency that brought it in, not by editing your manifest.

  • Export CSV — every package matching the active filters.
  • Export SBOM — the whole org inventory as CycloneDX or SPDX JSON.

See Exports for schemas. A single project’s SBOM is exported from its Project Detail Dependencies tab.