Skip to content
Latchkey

What Is Dependency Scanning?

Dependency scanning checks the third-party libraries your project pulls in against databases of known vulnerabilities, flagging the ones you need to upgrade.

Most of your application is code you did not write - open-source dependencies. When a vulnerability is found in one of them, you inherit it. Dependency scanning (a form of software composition analysis) tells you which of your dependencies are affected.

How it works

The scanner reads your lockfile to enumerate exact dependency versions, including transitive ones, and matches them against vulnerability databases like the GitHub Advisory Database or OSV. Matches become alerts with severity and a fixed-in version.

Direct and transitive

A vulnerable package is often something you never imported directly - a dependency of a dependency. Scanning the full resolved tree from the lockfile is what catches these transitive risks.

A small example

A scanner reports a high-severity CVE in a logging library you never imported - it came in transitively through a web framework. The alert names the fixed version, so you upgrade the framework or pin the transitive dependency.

Acting on results

  • Upgrade to a fixed version, ideally automatically via a bot.
  • Apply an override if a fixed transitive version exists.
  • Triage and accept risk with a documented reason when no fix exists.

Keeping it actionable

Gate on new and high-severity findings rather than the whole backlog, and pair scanning with an update bot so most vulnerable dependencies are upgraded automatically before they ever block a build.

Key takeaways

  • Dependency scanning matches your libraries against known-CVE databases.
  • It reads the lockfile to catch transitive, not just direct, dependencies.
  • Remediate by upgrading, overriding, or documenting accepted risk.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →