SCA with reachability — find out if vulnerable code is actually reachable
Project description
DepReach
DepReach is a Software Composition Analysis (SCA) tool that goes beyond listing CVEs: it tells you whether vulnerable code is reachable from your project. It builds call graphs, maps fixes from GitHub diffs to affected functions, and marks issues as reachable or not — so you can prioritize what actually matters.
Features
- SBOM — CycloneDX via cyclonedx-py (Python) or cdxgen (Docker)
- Vulnerability lookup — Local VDB (e.g. appthreat-vulnerability-db)
- Reachability — Call graph + AST + GitHub diff → which vuln code is reachable
- Caching — SQLite cache for reachability results
- HTML report — Interactive dependency graph, filter by package, zoom, “hide clean”
- SARIF — Output for ASPM / Code Scanning with reachability in
result.properties
Installation
DepReach is available on PyPI. Requires Python 3.10+.
pip install depreach
Quick start
depreach -i /path/to/your/project -o report.json
Reports are written to reports/<project_name>/ (JSON, SBOM, HTML). Use --sarif <file> to also emit SARIF 2.1.
Usage
depreach -i <input_dir> -o report.json [options]
| Option | Description |
|---|---|
-i, --input |
Source code directory (required) |
-o, --output |
Report filename; output dir is reports/<project_name>/ |
--skip-update |
Skip updating the vulnerability database |
--cache |
Cache reachability results in SQLite |
-j, --jobs |
Parallel jobs for reachability (default: 6) |
--ignore |
Comma-separated package names to ignore (e.g. flask,requests) |
--sarif |
Write SARIF 2.1 file for ASPM/Code Scanning |
Exit codes: 0 = no vulns, 1 = vulns but none reachable, 2 = at least one reachable.
Example
depreach -i ./my-app -o report.json --cache --ignore "flask" --sarif report.sarif
Output
| Artifact | Path | Description |
|---|---|---|
| JSON report | reports/<name>/report.json |
Vulns with CVE, severity, description, references, reachability |
| SBOM | reports/<name>/<name>_sbom.json |
CycloneDX SBOM |
| HTML report | reports/<name>/report.html |
Interactive graph, filter by package, zoom |
| SARIF | path from --sarif |
SARIF 2.1 with isReachable in result properties (for ASPM) |
Use as a library
from depreach import run
vulns, exit_code = run(
input_dir="./my-app",
output_file="report.json",
skip_update=False,
cache=True,
jobs=6,
ignore="flask,requests",
sarif_path="report.sarif",
)
# exit_code: 0 = ok, 1 = vulns, 2 = reachable vulns
License
MIT. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file depreach-0.0.post1.dev20.tar.gz.
File metadata
- Download URL: depreach-0.0.post1.dev20.tar.gz
- Upload date:
- Size: 672.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1ffbd12880f23791593349217f4f956925f171fd66825845abec636725bda273
|
|
| MD5 |
3e4a1b326fe703227351872b77a2ba1d
|
|
| BLAKE2b-256 |
5d998c3db13aed27f4aafac5271da2f7dbf30b8f5662c03e2dc4f9ef9ea5e409
|
File details
Details for the file depreach-0.0.post1.dev20-py3-none-any.whl.
File metadata
- Download URL: depreach-0.0.post1.dev20-py3-none-any.whl
- Upload date:
- Size: 29.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
858622f2730d9976ff0a67e351935d72cd973de586aa96c7b12adb34c8cc373d
|
|
| MD5 |
9fb2c4f3bb48b707c21f2951297e3d9a
|
|
| BLAKE2b-256 |
edf613dc780733158ad8bcb7c02b70950a67b0372418768962add705dcc3b737
|
