Deeps

Dependency health for engineers

Dependency intelligence that fits on one page.

Scan a repo and get three numbers: how stale it is in libyears, how many known CVEs it carries, and how soon something reaches end-of-life. No 200-page audit.

  • Known CVEs
  • End-of-life
  • Unmaintained
Get the CLI Read the docs

5

Ecosystems: Go, npm, PyPI, Packagist, Docker

4

Output formats: JSON, Markdown, SARIF, slides

0

Agents required on your servers

Why Deeps

Built for engineers, not auditors

Most scanners produce compliance evidence for security teams. Deeps is for engineers cutting tech debt. The CLI fits one screen, the report fits one PR comment, and the dashboard tracks libyears over time. Hosting is optional: the scanner runs offline and uploads only when you ask it to.

Libyears

Every dependency's age, measured against its latest release. One score per package, summed per project. Sort the table to find the worst debt first.

CVEs that matter

Trivy finds them; Deeps sorts by severity, filters to the ones with a fix, and links straight to it. No 50-line descriptions to scroll past.

End-of-life detection

Reads your Dockerfile, package.json, go.mod, and composer.json, then checks endoflife.date. Tells you “Node 16 ends in 38 days” before it breaks in prod.

Notifications

Web push, email, APNs, FCM. Per project, per severity. Digest or realtime.

CLI

The same scan everywhere

The hosted dashboard runs the same pipeline as the CLI. Point it at any directory:

deeps scan --dir . \
  --severity-floor high \
  --max-libyears 100 \
  --format markdown

Run it anywhere

Where Deeps runs

  • CLI

    A single Go binary. Run it against any directory and get JSON, Markdown, SARIF, or KPI slides on stdout.

  • Docker image

    Trivy bundled, runs nonroot, about 80 MB. The base artefact every CI integration wraps.

  • GitHub Action

    A drop-in workflow step. Forgejo Actions uses the same action.yml unchanged.

  • GitLab CI template

    Include it from your .gitlab-ci.yml. Posts the Markdown report as an MR note.

  • Hosted dashboard

    Optional, coming soon. Cross-project library, scan history, libyears trends, and APIs an agent can call.

Try it

Grab the CLI and run it against any repo. The hosted dashboard is on the way.

Get the CLI Read the docs