repowiseSecurity suite
CVE-aware dependency scanning with usage and reachability triage, secret detection across full git history, SBOM/VEX export, a nightly CVE refresh, compliance reports, and an insert-only audit trail.
Every Pro+ repo gets a security scan with each index: the dependency
inventory is matched against OSV.dev, secrets are
hunted across the entire git history (not just HEAD), and the
results land in the repo's Security hub
(Repos → your repo → Security).
What makes it different from a plain scanner is that findings are graph-aware and usage-aware: Repowise already knows what your code imports, what's dead, and which files are hotspots, so it can tell you which vulnerabilities actually matter in your codebase instead of handing you a flat CVE list.
Vulnerabilities (Pro+)
- Full inventory matching — every dependency (including transitives via lockfiles) matched against OSV, with severity from CVSS, exploitation context from CISA KEV and EPSS, and a single priority score that ranks the queue for you.
- Usage triage — each finding is labelled by what your code
actually does with the package:
used,imported but unreachable,not imported, ordev-only. A critical CVE in a package you never import is not your first problem; the triage makes that explicit. - Function-level reachability — advisories that name affected symbols are crossed with your imports; provably unreachable findings are discounted. Coverage is per-ecosystem and labelled honestly.
- Nightly CVE refresh — new advisories are matched against your stored inventory every night, no re-index needed. Anything new and critical/high/KEV raises an alert (bell, webhook, email).
Secrets (Pro+)
- Leaked credentials across every commit ever made, with live-at-HEAD flagging — a key that's still in the working tree is a different emergency than one deleted two years ago.
- Provider-specific revocation links (GitHub PATs, AWS, Stripe, and many more) so the fix is one click away.
- Rotation reminders — a live secret that sits unrotated past 90 days nudges the owner once (never a daily nag).
- Only redacted previews are ever stored. Secret values never leave the scanner.
SBOM + VEX export (Pro+)
The dependency inventory exports as a standard CycloneDX SBOM, and your triage decisions export as a VEX document that downstream scanners and auditors consume. Snapshot-to-snapshot SBOM diffs show exactly what changed.
Workspace security rollup (Teams)
The workspace dashboard aggregates posture across every repo: open vulnerabilities by severity, KEV counts, live secrets, license risk (copyleft exposure), and a workspace-wide "fix first" list ranked by priority.
Compliance reports (Teams)
Control-coverage reports for PCI-DSS and SOC 2, derived from your live findings with evidence drill-ins and JSON/Markdown export.
These are honest signals, not an audit. They map where an assessor will look and what your current findings say about each control — they don't certify anything.
Audit trail (Teams)
An insert-only log of who viewed, exported, or changed security data —
including AI-agent reads over MCP — with actor, IP, and timestamp.
Browse it in-product, export JSON/CSV, or stream it to your SIEM via
the opt-in security_audit_event webhook.
Alerting
New critical CVEs, live secrets, failed scans, and rotation reminders fan out to the notification bell, email (per your preferences), and HMAC-signed webhooks. See Alerts & notifications.
Privacy rules, all binding: OSV only ever sees package URLs (purls), never code. Webhook and email payloads carry metadata only — rule ids, paths, counts, OSV ids — never code snippets or secret previews.
Connecting your IDE
Mint an API key on the hosted dashboard and paste a snippet — Claude Code, Cursor, Claude Desktop, VS Code, and Windsurf supported.
Teams & portfolio intelligence
Seats with pooled repos and credits, shared workspaces, portfolio health and ownership rollups, and an engineering-leader dashboard fed by nightly drift detection.