repowise is a codebase intelligence platform, not a vulnerability scanner. On top of its dependency graph it adds usage-aware CVE triage that scores known vulnerabilities with KEV and EPSS, then filters them to the code you actually reach, plus secret detection across full git history and security signals in review. The scanning path is deterministic, with no model in the loop, so findings are reproducible and auditable. Run repowise alongside Snyk or SAST: they own vulnerability detection, repowise narrows the list to what matters.
repowise security is reachability-aware CVE triage and secret detection built on the same dependency graph that powers its code health and architecture views. It scores known vulnerabilities with KEV and EPSS and filters them to the code you actually reach, and scans full git history for secrets. It is not a SAST or vulnerability scanner and does not replace one; it triages, deterministically, with no model in the scanning path.
What repowise security is (and is not)
repowise is a codebase intelligence platform, not a vulnerability scanner. It will not replace Snyk, a SAST engine, or your SCA tool, and it does not try to.
What it adds is a reachability layer on the dependency graph it already builds. It takes known vulnerabilities, scores them with KEV and EPSS, and filters them to the code you actually reach, so the list you act on is the list worth acting on.
The honest framing: Snyk and SAST own vulnerability detection; repowise owns triage and context. Run both. The scanning path is deterministic, with no model in the loop, so every finding is reproducible and auditable.
How does it help you?
Three jobs, all built on the same graph and git history that power code health and architecture. None of them invent new vulnerability detection; they make the findings you already have actionable.
| Job | What repowise does | Status |
|---|---|---|
| Usage-aware CVE triage | Scores known vulnerabilities with KEV and EPSS, then filters to the ones your code actually reaches on the dependency graph. | Generally available on the hosted platform |
| Secret detection | Scans full git history, not just the current tree, so a key committed and later removed is still surfaced as a live exposure. | Generally available on the hosted platform |
| In-review security signals | get_risk surfaces security signals alongside hotspots, dependents, and co-change partners; the Repowise PR Bot comments deterministically with zero LLM calls. | Generally available |
A CVE in a package you import but never execute is not the same risk as one on a live code path, and the triage reflects that. Function-level reachability triage, which narrows to the exact call paths, is on the roadmap.
Where Snyk and SAST are stronger
repowise does not detect vulnerabilities in your own source. SAST tools own taint analysis, data-flow tracking, and the discovery of new flaws in code you wrote; that is their job, and repowise does not compete for it.
repowise also does not yet ship compliance reporting for frameworks like PCI-DSS or SOC 2; an audit trail and a CycloneDX SBOM are generally available on hosted, but dedicated compliance templates are on the roadmap and marked as planned, not shipped.
Use them together: let Snyk or your SAST engine find the vulnerabilities, and let repowise score them against your real graph so you triage the subset that actually reaches your code.
How each role uses this feature
Stop drowning in CVEs for code you never run: triage known vulnerabilities by what you actually reach on the dependency graph, and find secrets buried in history.
Run the whole scanning path inside your perimeter, deterministic and self-hosted, with no model in the loop so EU AI Act high-risk obligations do not apply.