Query OSV database for known vulnerabilities affecting a specific package and optional version.

Query OSV database for vulnerabilities associated with a specific git commit hash.

Query OSV database using a Package URL (purl) for known vulnerabilities.

Batch query OSV database for vulnerabilities across multiple packages at once.

Fetch full vulnerability details from OSV by ID (OSV, CVE, GHSA, RUSTSEC, PYSEC, etc.).

Fetch a GitHub Security Advisory by its GHSA or CVE identifier.

Search GitHub Security Advisories by keyword, ecosystem, and severity.

List GitHub Security Advisories affecting a specific package in a given ecosystem.

List the most recently updated GitHub Security Advisories.

Fetch full CVE details from NVD (NIST National Vulnerability Database) by CVE ID.

Search NVD for CVEs by keyword and optional CVSS v3 severity.

Fetch recently published CVEs from NVD within a given number of days.

Fetch npm package metadata including description, latest version, maintainers, license, repository, homepage, and publish timeline.

Fetch metadata for a specific npm package version including dependencies, dist info (tarball, shasum, integrity), scripts, and deprecation status.

Fetch npm download counts for a package over a given period (last-day, last-week, last-month).

Search the npm registry for packages matching a query string.

Extract maintainers and publish timeline from an npm package. Critical for detecting maintainer takeover attacks like the event-stream incident.

Extract and analyze lifecycle scripts from a specific npm package version. Flags suspicious commands (curl, wget, eval, exec, etc.) commonly used in supply-chain attacks.

Check whether an npm package version has Sigstore provenance attestations and signatures. Key for detecting unauthorized publishes like the Axios-style attacks.

Bulk query npm security advisories for a set of packages and versions. Provide an object mapping package names to version arrays, e.g. {"express":["4.17.1"]}.

Fetch full Sigstore attestation bundles for an npm package version. Returns SLSA provenance and publish attestations when available.

Get day-by-day npm download counts for a date range. Useful for detecting download anomalies or sudden spikes that may indicate dependency confusion attacks.

Fetch PyPI package metadata including author, license, summary, project URLs, classifiers, and Python version requirements.

Fetch metadata for a specific PyPI package version including release URLs with upload times, file sizes, digests, and yanked status.

List all releases of a PyPI package with upload dates, sizes, and yanked status. Useful for detecting suspicious rapid version bumps or yanked releases.

Extract author and maintainer information from a PyPI package. Useful for detecting ownership changes or suspicious maintainer patterns.

Fetch crates.io crate metadata including description, download counts, max version, repository, homepage, categories, and keywords.

List all versions of a crate with version number, yanked status, license, crate size, creation date, and download count.

Fetch dependencies for a specific crate version including dependency kind (normal/dev/build), version requirement, and optional flag.

List owners of a crate on crates.io including login, name, URL, and kind (user/team). Useful for detecting ownership changes.

Fetch Go module info from the module proxy: latest version and all available versions. Module paths are automatically encoded for the proxy.

Fetch info and go.mod contents for a specific Go module version. Returns version metadata and parsed dependency list from go.mod.

Look up a Go module version in the checksum database (sum.golang.org) for hash verification. Returns the checksum database entry.

Look up a package on deps.dev to get metadata, versions, and security information

Get detailed info about a specific package version from deps.dev including links, licenses, and advisories

Get the dependency tree for a specific package version from deps.dev

Get packages that depend on a specific package version from deps.dev

Fetch a security advisory by key (e.g. GHSA-xxxx-xxxx-xxxx) from deps.dev

Get project information from deps.dev by repository URL (e.g. github.com/expressjs/express)

Look up a package by its SHA256 artifact hash on deps.dev

Get the requirements (version constraints) for a specific package version from deps.dev

Find similarly named packages on deps.dev for typosquatting detection. Useful for verifying you're using the legitimate package.

Look up a package by Package URL (purl) on deps.dev. Purl format: pkg:ecosystem/name@version

Get the OpenSSF Scorecard security score for a GitHub repository, including individual check results

Compare OpenSSF Scorecard security scores across 2-5 GitHub repositories side by side

Get package metadata from Libraries.io including repository info, versions, and popularity metrics

Get dependencies for a specific package version from Libraries.io

Get packages that depend on a specific package from Libraries.io

Get the SourceRank quality score breakdown for a package from Libraries.io

Search the Rekor transparency log by email, SHA256 hash, or public key fingerprint and return matching entry UUIDs

Retrieve a specific Rekor transparency log entry by UUID, including body, attestation, and inclusion proof

Get the current Rekor transparency log status including rootHash, treeSize, signedTreeHead, and treeID

Retrieve multiple Rekor log entries by their UUIDs or log indexes in a single request

Verify whether a SHA256 artifact hash has been recorded in the Rekor transparency log, returning entry details if found

Check if a package name is suspiciously similar to popular packages (potential typosquatting). Returns matches with edit distance <= 2.

Compare two package names directly to assess typosquatting risk, showing edit distance, similarity percentage, character-level diff, and confusable character warnings

Get EPSS exploit probability and percentile for a single CVE ID.

Batch EPSS scores for multiple CVEs (up to 100) in a single request.

Get the highest EPSS-scoring CVEs (most likely to be exploited).

Find CVEs with EPSS score above a given threshold.

Check if a CVE is in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Search KEV entries by keyword (matched against vendor, product, name, description).

Get recently added KEV entries within the last N days.

Get KEV catalog statistics: total count, top vendors, entries per year, and ransomware usage breakdown.

Fetch a Go vulnerability by its ID from the Go Vulnerability Database. Returns advisory details, affected modules, versions, and references.

List all Go vulnerability IDs from the database index. Returns an array of entry objects with id and modified fields.

Get Go Vulnerability Database metadata including last modified time.

Find Go vulnerabilities affecting a specific module. Fetches the modules index and filters for entries matching the given module path.

Get curated license data for a software component from ClearlyDefined.

Batch license lookup for multiple components via ClearlyDefined.

Search ClearlyDefined for components by pattern.

Get OpenSSF Best Practices badge status and criteria for a project by ID.

Search OpenSSF Best Practices badge projects.

Find OpenSSF Best Practices badge by GitHub repository URL.

Get package versions across all Linux distributions from Repology.

Find packaging problems/issues for a repository on Repology.

Search Repology projects by name.

Fetch RubyGems gem metadata including name, version, authors, description, download counts, project URI, source code URI, and other package details.

List all versions of a RubyGems gem with release dates, platform info, and version numbers.

Search the RubyGems registry for gems matching a query string.

Get reverse dependencies of a RubyGems gem — lists all gems that depend on this gem. Useful for assessing blast radius of a compromised package.

Fetch NuGet package registration metadata including all versions, dependency groups, descriptions, and catalog entries.

Search the NuGet registry for packages matching a query string.

List all published versions of a NuGet package from the flat container index.

Get specific version details from NuGet including dependency groups, description, license, and catalog metadata.

Get PHP/Composer package metadata from Packagist including versions, description, maintainers, and repository information.

Search Packagist for PHP packages matching a query string.

Get Packagist package download statistics including total, monthly, and daily download counts.

Get security advisories for PHP packages from Packagist. Returns known vulnerabilities and CVEs affecting the specified package.

List all 21 supply chain security data sources with their configuration status, required environment variables, available tools, and API base URLs.