Defense / Supply-Chain Scanning
Live intelligence on every dependency you trust
Query any open-source package or repository by ecosystem name or GitHub link. Alethe Labs resolves real-time known vulnerabilities, surfaces provenance and metadata, and verifies the declared license against the OSI-approved register — in a single pass.
Vuln intel
Alethe Labs
Continuously aggregated advisory feeds
Coverage
Multi-ecosystem
npm, PyPI, crates, Go, Maven & more
Provenance
Open Insights
Dependency and source metadata
Licenses
SPDX / OSI
Approved-license verification
Live Scanner
How the Scanner Works
Resolve any dependency
Point the scanner at a package name or a GitHub repository and Alethe Labs normalizes it into a canonical, ecosystem-aware identifier.
Multi-ecosystem
Resolve npm, PyPI, crates, Go, Maven and more into ecosystem-aware queries.
GitHub repositories
Resolve owner/repo URLs into provenance, stars, and contributor signals.
Bare package names
Infer the most likely ecosystem from a plain dependency name.
Live vulnerability intelligence
Every query is checked against continuously aggregated advisory feeds in real time and ranked by severity so triage starts immediately.
Authoritative advisories
Ecosystem-aware vulnerability records with aliases and references.
Severity ranking
Critical, high, moderate, and low buckets surfaced at a glance.
Fix availability
Resolved version ranges extracted from each advisory where published.
OSI license verification
We check the declared license against the OSI-approved SPDX register and flag anything restrictive or unrecognized.
OSI-approved check
Confirms the SPDX identifier appears on the Open Source Initiative approved list.
Copyleft awareness
Distinguishes permissive, weak-copyleft, and strong-copyleft obligations.
Unknown-license flags
Surfaces missing or non-standard declarations for legal review.
From open-source intake to authorized deployment
The same intelligence that scores a dependency here flows directly into Narsil's evidence pipeline — so every component you accept arrives with vulnerability, provenance, and license posture already documented for your authorization package.