SCA with reachability — find out if vulnerable code is actually reachable
Project description
DepReach
SCA with reachability — find out if vulnerable code is actually reachable
What is DepReach?
DepReach is a Software Composition Analysis (SCA) tool that goes beyond listing CVEs: it tells you whether vulnerable code is reachable from your project. It builds call graphs, maps fixes from GitHub diffs to affected functions and marks issues as reachable or not — so you can prioritize what actually matters.
Preview
Features
| Feature | Description |
|---|---|
| SBOM | CycloneDX via cyclonedx-py (Python) or cdxgen (Docker) |
| Vulnerability lookup | Local VDB (e.g. appthreat-vulnerability-db) |
| Reachability | Call graph + AST + GitHub diff → which vuln code is reachable |
| Caching | SQLite cache for reachability results |
| HTML report | Interactive dependency graph, filter by package, zoom, “hide clean” |
Requirements
- Python 3.10+
- Docker (optional) — only if using cdxgen for SBOM
- Git — for reachability (GitHub diffs)
Install
pip install depreach
Requires Python 3.10+.
Usage
depreach -i <path_to_project> -o report.json [options]
Reports are written to reports/<project_name>/ (JSON, SBOM, HTML). Optionally use --sarif <file> to output SARIF 2.1.
| Option | Description |
|---|---|
-i, --input |
Source code directory (required) |
-o, --output |
Report filename; output dir is reports/<project_name>/ |
--skip-update |
Skip VDB update |
--cache |
Cache reachability in SQLite |
-j, --jobs |
Parallel jobs for reachability (default: 6) |
--ignore |
Comma-separated package names to ignore (e.g. flask,requests) |
--sarif |
Write SARIF 2.1 file (reachability in result.properties) for ASPM/Code Scanning |
Exit codes: 0 = no vulns, 1 = vulns but none reachable, 2 = at least one reachable.
Example
depreach -i ./my-app -o report.json --cache --ignore "flask" --sarif report.sarif
Output
| Artifact | Path | Description |
|---|---|---|
| JSON report | reports/<name>/report.json |
Vulns with CVE, severity, description, references, reachability |
| SBOM | reports/<name>/<name>_sbom.json |
CycloneDX SBOM |
| HTML report | reports/<name>/report.html |
Interactive graph, filter by package, zoom |
| Console | — | Rich table with reachability status |
| Log | depreach.log |
Debug log |
| SARIF | path from --sarif |
SARIF 2.1 with isReachable in result properties (for ASPM) |
Use as a library
from depreach import run
vulns, exit_code = run(
input_dir="./my-app",
output_file="report.json",
skip_update=False,
cache=True,
jobs=6,
ignore="flask,requests",
sarif_path="report.sarif",
)
# exit_code: 0 = ok, 1 = vulns, 2 = reachable vulns
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file depreach-0.1.0.tar.gz.
File metadata
- Download URL: depreach-0.1.0.tar.gz
- Upload date:
- Size: 26.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9998701197b5324459e0492673bd5b5885264c04e515b0626fcc87585e418420
|
|
| MD5 |
5dc731455b7dbbb85f0ba3252e50241f
|
|
| BLAKE2b-256 |
f77403c50801c356651bde13bf97bb4e4e33645ea20f87c926ddf46ce35db5ad
|
File details
Details for the file depreach-0.1.0-py3-none-any.whl.
File metadata
- Download URL: depreach-0.1.0-py3-none-any.whl
- Upload date:
- Size: 29.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a4fb32e97f6a954b669c80a041c0a70725b473c1523e8c7d12c4d1cbff0bfd3
|
|
| MD5 |
cba03436040c35280a04edc8b6773374
|
|
| BLAKE2b-256 |
d079c53136a4e4e2740c6404e46cd16e1ca997e23d8cda1c2329392a8ce4f6da
|
