polyfill.io was silently hijacked in June 2024, serving malicious code to 100,000+ websites. Your CVE scanner missed it.
The supply chain attack
that breaks production
won't warn you first.
OSPulse detects abandoned packages, compromised dependencies, and supply chain attacks before your CVE scanner wakes up.
Traditional scanners answer yesterday's questions.
CVEs are published after the damage is done. OSPulse watches the signals that come before.
Dependabot / Snyk
- Is there a known CVE?
- Is this version in the vulnerable range?
- Is the licence allowed?
- Is there a newer version?
OSPulse
- Is this package being abandoned right now?
- Have its maintainers gone silent?
- Is this package in a live breach feed?
- Has the source repo been hijacked?
- Is the release cadence collapsing?
- Which of our apps breaks if this fails?
- What should we replace, fork, pin, or escalate?
Intelligence your CVE scanner doesn't have.
Supply chain attacks caught in real time
OSPulse monitors OSV.dev, npm security advisories, PyPI malware reports, Socket.dev threat feeds, Sonatype intelligence, CISA KEV, and more — cross-referenced against your actual dependency tree. When a package you depend on appears in a breach feed, you know within minutes.
- Breach feed monitoring across 8+ intelligence sources
- Account takeover and maintainer hijack detection
- Typosquatting and dependency confusion alerts
- Malicious code injection pattern matching
- Blast radius: which of your apps are affected
- Immediate remediation playbook generated
Detect abandoned packages before they become incidents
Traditional scanners wait for a CVE. OSPulse tracks commit velocity, release cadence, maintainer activity, issue responsiveness, and bus factor — flagging packages that are quietly going dark weeks or months before a security incident.
- Commit velocity collapse detection (>70% drop)
- Maintainer activity monitoring (90-day and 365-day windows)
- Bus factor estimation — single-maintainer risk alerts
- Release cadence deterioration scoring
- Issue and PR backlog growth analysis
- Package abandonment prediction with confidence score
Every dependency. A single score. Full evidence.
Each package receives a 0–100 health score with a confidence rating and complete evidence trail. Ten weighted dimensions — maintainer health, activity, release cadence, vulnerability exposure, licence risk, provenance, and more.
- Health score 0–100 across 10 weighted dimensions
- Confidence score flags low-evidence packages
- Weights configurable per tenant policy
- Full evidence trail for every score
- Historical score trend charts
- Risk level: Minimal / Low / Medium / High / Critical
Everything else you'd expect from an enterprise platform
Policy Engine
Define policies at tenant, workspace, team, or repo level. Enforce in CI/CD with pass/fail gates.
CI/CD Integration
GitHub Actions, Azure DevOps pipelines, GitLab CI. Pull request checks with actionable comments.
Executive Dashboards
Leadership-ready risk summaries alongside raw evidence. The right view for every stakeholder.
AI Risk Summaries
Plain-English explanations of why a package is risky, grounded in deterministic evidence. Auditable.
SBOM Import / Export
CycloneDX and SPDX support. Import existing SBOMs, export for compliance and procurement.
Enterprise Auth
SSO with OIDC and SAML, SCIM, MFA, RBAC with 11 role types, full audit trail.
Smart Alerting
Route alerts to Slack, Teams, email, or webhooks. 20 alert types with suppression controls.
Compliance Reports
ISO 27001, SOC 2, Cyber Essentials Plus. Exportable evidence with approval history and audit trail.
10+ Ecosystems
npm, NuGet, PyPI, Maven, Go, Cargo, RubyGems, Composer, Docker, GitHub Actions.
Integrates with your existing stack
From startup to enterprise
Four tiers designed for teams of every size. Start free, scale as you grow.
View all pricing plansStop waiting for a CVE.
Get ahead of the risk.
Join engineering and security teams who are already detecting dependency drift and supply chain compromise before it becomes a production incident.