Security on your actual dependency graph.
CVE triage that knows whether you really reach the vulnerable code. Findings are scored with KEV and EPSS, then filtered to the vulnerabilities your code actually reaches. Plus secret detection across full git history and SBOM, built on the same graph that powers everything else. No model in the scanning path, self-hostable.
Generic scanners rank by CVSS and bury you in findings for code you never execute. The real question is not what is vulnerable, it is what you actually reach.
A vulnerability in a transitive dependency you import but never call is not the same risk as one on a live code path. repowise scores with KEV and EPSS, then filters the findings against your real dependency graph, so the list that lands in front of you is the list worth acting on.
Reachability-aware triage on a graph you can self-host.
Deterministic, usage-aware, and built on the same dependency graph that powers the rest of repowise.
Findings filtered to the code you actually reach
Known vulnerabilities are scored with KEV and EPSS, then filtered against your real dependency graph so the list narrows to what your code actually reaches. CVE-aware dependency analysis and usage-aware triage are generally available on the hosted platform.
- KEV and EPSS scoring, not raw CVSS severity alone
- Filtered to the vulnerabilities your code actually reaches
- Built on the same dependency graph as the rest of the platform
- Function-level reachability triage is on the roadmap
Secret detection across your full git history
A key that was committed and later removed is still recoverable from history and still a live exposure. repowise scans every commit, not just the current tree, so secrets that already leaked do not slip through. Secret detection across full git history is generally available on the hosted platform.
- Scans full git history, not only the current checkout
- Catches secrets that were committed and later removed
- Deterministic results you can reproduce and audit
CycloneDX SBOM, diffs, and VEX for audits
repowise generates a CycloneDX software bill of materials and diffs it between versions, so you can see exactly what changed in your dependency set between releases. VEX communicates which listed vulnerabilities actually affect you. SBOM generation and diffs are generally available on the hosted platform.
- CycloneDX SBOM generation for audits and procurement
- Version-to-version SBOM diffs
- VEX to communicate true exploitability
- An audit trail for the security surface on Teams and above
No model in the scanning path
There is no AI or ML model in the loop in scanning and scoring, so the same inputs always produce the same findings. Because no model sits in the loop, EU AI Act high-risk obligations do not apply to the scanning path. Graph-aware enhanced scanning, language-specific rulesets, and compliance reporting are in development or on the roadmap.
- Reproducible, auditable findings, no drift between runs
- EU AI Act high-risk obligations do not apply to the scanning path
- Graph-aware enhanced scanning and language-specific rulesets are in development
- Compliance reporting (PCI-DSS, SOC 2) is on the roadmap
From dependency graph to a list worth acting on.
Index
repowise parses your repo into a dependency graph and reads its git history. Code is processed transiently and never persisted, and it stays on your infrastructure.
Match
Known vulnerabilities are matched against your dependency set and scored with KEV and EPSS, not raw CVSS severity alone.
Filter
Findings are filtered against the real dependency graph, so what remains is the vulnerabilities your code actually reaches.
Report
Triaged findings, secret detection across full git history, and a CycloneDX SBOM with diffs and VEX, all deterministic.
One graph, security included.
In the dashboard
A Security view with usage-aware CVE triage, secret findings, and the SBOM, alongside health and risk.
In your AI agent
get_risk surfaces security signals next to hotspots, dependents, and ownership over MCP.
On the dependency graph
Reachability is computed on the same two-tier graph that powers architecture and blast radius.
Across your history
Secret detection looks at every commit, not just the current tree, so old leaks are not missed.
For audits and procurement
A CycloneDX SBOM with version diffs and VEX to communicate true exploitability.
On your own infrastructure
Self-hostable under AGPL-3.0, deterministic, with no model in the scanning path.
Generic scanners rank by CVSS and bury you in findings for code you never execute. repowise scores with KEV and EPSS, filters by what you actually reach on the dependency graph, and runs deterministically on a graph you can self-host.
Questions, answered
Does it scan code I do not actually call?
That is the part most scanners get wrong. repowise scores known vulnerabilities with KEV and EPSS, then filters them against your real dependency graph so the list narrows to the vulnerabilities your code actually reaches. A CVE in a package you import but never execute is not the same as one on a live code path, and the triage reflects that. Usage-aware CVE triage is generally available on the hosted platform. Function-level reachability triage, which narrows further to the exact functions you call, is on the roadmap.
Where does my code go, and can I self-host?
Your code never leaves your infrastructure. repowise is open source under AGPL-3.0 and fully self-hostable, with a managed hosted platform as an option. Raw source is processed transiently and never persisted. What is stored is the dependency graph, non-reversible embedding vectors, generated wiki pages, and git metadata, not your source files.
What about secrets that are already in my history?
Secret detection runs across your full git history, not just the current tree. A key that was committed and later removed is still recoverable from history and still a live exposure, so repowise looks at every commit rather than the current checkout alone. Secret detection across full git history is generally available on the hosted platform.
Do you generate an SBOM?
Yes. repowise generates a CycloneDX software bill of materials and produces diffs between versions, so you can see exactly what changed in your dependency set between releases. VEX is supported for communicating which listed vulnerabilities actually affect you. SBOM (CycloneDX) generation and diffs are generally available on the hosted platform.
Is there an AI model in the scanning path?
No. There is no model in the loop in the scanning and scoring path, so results are deterministic, reproducible, and auditable. The same inputs always produce the same findings. Because no AI or ML model sits in the loop, EU AI Act high-risk obligations do not apply to the scanning path.
What compliance reports exist?
Today repowise generates a CycloneDX SBOM with version diffs and VEX, and there is an audit trail for the security surface on the Teams tier and above. Compliance reporting for frameworks such as PCI-DSS and SOC 2 is on the roadmap and not yet shipped. We mark roadmap items clearly rather than implying they are available now.
How is this different from a generic CVE scanner?
Generic scanners rank findings by CVSS severity and return everything that matches a manifest, including vulnerabilities in code you never execute. repowise scores with KEV and EPSS and then filters to what you actually reach on the dependency graph, so the list you act on is the list worth acting on. The scanning path is deterministic and the whole thing is self-hostable.
Which security capabilities are shipped versus on the roadmap?
Generally available on the hosted platform: CVE-aware dependency analysis with KEV and EPSS, usage-aware CVE triage, secret detection across full git history, and SBOM (CycloneDX) generation and diffs. In development: graph-aware enhanced scanning and language-specific security rulesets. On the roadmap: function-level reachability triage and compliance reporting for PCI-DSS and SOC 2.