Dependency execution intelligence
Security for the code you didn't write.
Modern software is assembled, not written. depgaze checks the dependencies moving through your pipeline and your editor — the malicious, the abandoned, the risky — and tells you what to do about them.
- Works in CI/CD
- npm + PyPI
- Bring your own LLM
- Callable by AI agents
malicious@5.6.1BlockedBehaves like credential theft — reaches out to a server it has no reason to contact while installing.
Fixremove it before it runs — rotate any exposed tokens.
lodash@4.17.21AllowedClean. Does exactly what a utility library should — and nothing else.
The problem
Most of your software is code you never reviewed.
A maintainer you'll never meet ships a new version at 2 a.m. Your pipeline pulls it within the hour and runs it — with your tokens, your secrets, your production network. You find out it was compromised when everyone else does: from the advisory, hours later. By then, it has already run.
In 2025 alone, 454,648 packages in the wild were outright malicious — and most of the code in your build is code you never chose to install.
You choose about ten dependencies. Your build ships more than eighty.
The vast majority of what you ship is transitive — pulled in by your dependencies' dependencies. It is the largest, least-watched attack surface in modern software.
The product
Protection that lives where developers work.
depgaze runs inside CI and your editor, at install time — the moment a dependency actually enters your project, and the only point early enough to do something about it.
- Step 01
Observe
Watch every dependency entering your pipeline and your local dev loop, across npm and PyPI.
- Step 02
Judge
Score each package for malice, rot, triviality, and risk — in real time, at the moment it's installed.
- Step 03
Explain & fix
Surface a plain-language verdict and a concrete fix — to the developer, or to the agent that called it.
- Step 04
Learn
Every decision sharpens the judgment behind the next one. The product compounds with use.
AI agents pull dependencies at machine speed, with no one reading the diff. depgaze answers to them the same way it answers to you.
In action
It judges what a package does.
Most tools read a package's code and infer intent. depgaze looks at how it behaves — so it catches the compromises that pass reputation checks and CVE lists. A trusted package, a poisoned update: you get what happened, in plain language, the moment it happens. Plus the fix.
- Plain-language verdicts
- A specific fix
- For developers and agents alike
$ depgaze analyze malicious@5.6.1
ran the install in a safe, throwaway space — nothing touched the real machine
spawned a hidden background process
read ~/.npmrc — your registry credentials
opened a connection to 23.105.x.x — a server it had never contacted
Blockedlooks like credential exfiltration
Fixremove it, and rotate anything it could read
FAQ
Questions teams ask first.
What depgaze does, where it fits, and an honest line about what we keep behind the curtain.
Those check your dependencies against a list of already-known vulnerabilities. They can't see a brand-new compromise — a zero-day, a hijacked maintainer account, malicious code freshly slipped into a trusted package. depgaze doesn't rely on reputation or history; it judges a package on how it actually behaves, so a first-of-its-kind attack is caught the first time it runs.
It's built to live at install and build time without getting in the way. You get a clear allow / block verdict and a recommended fix in the flow you already use — CI/CD or the inner loop — not a separate dashboard you have to remember to check.
Yes — depgaze is callable by agents from V1, not just by humans. As agents pull dependencies at machine speed with no one reading the diff, depgaze acts as the guardrail they invoke before code lands.
npm and Python (PyPI) are live today — the two registries that run most of the software world. More are on the roadmap. Most modern teams touch both, and depgaze covers them in one workflow.
depgaze runs where you work and supports bringing your own model provider, so you stay in control of where analysis happens and what leaves your infrastructure. Security-conscious teams can keep everything in-house.
That's the part we keep close. What we'll say: it evaluates real behaviour rather than surface-level code, which is why it catches attacks that source-level tools miss. If you'd like to see it work on your own dependencies, request early access — the verdicts speak for themselves.
Get started
Join the private beta.
A limited group of developers, DevOps and security engineers, running depgaze on their own dependencies. Applications are open through June; the beta runs in July.