Kusari Inspector seamlessly integrates software supply chain security analysis into your pull requests. Identify, manage, and mitigate supply chain risks early and effortlessly within your workflow using powerful AI and dependency graph analysis. Detects vulnerabilities, leaked secrets, workflow issues, risky dependencies, license concerns, and other supply chain threats—before code is merged.

Features

• Pull Request Inspection & Analysis: Trigger comprehensive supply chain security scans on every new or updated PR
• Instant In-PR Feedback: Clearly annotated reports in seconds right within your PRs
• Dependency Risk Assessment: Know about risky, low-trust or vulnerable dependencies early in development
• Understand Transitive Dependencies: Full understanding of your dependency tree to determine the likelihood of exploitation and risk
• Intelligent Vulnerability Ranking: Factor in CVSS, EPSS and KEV to determine the criticality of the vulnerability (along with the context of where it lives in the dependency tree)
• Actionable Insights: Clear go/no go direction with remediation suggestions and clear steps on what needs to be done to mitigate the risk

Checks

Kusari Inspector checks for:

• Credentials and other secrets
• Typosquatted dependency names
• Common code weaknesses via static analysis
• Direct and transitive dependencies
• Dependencies’ repository security posture
• Software licenses
  • Categorized into strong copy left, weak copy left, network copy left and permissive
• Known vulnerabilities, including severity (CVSS), likelihood of exploit (EPSS), and known exploited vulnerabilities
• GitHub workflow security issues
• DockerFile security issues
• Terraform security issues
• Helm chart security issues

Benefits

• Catch insecure dependencies and risky code early, less back-and-forth with security
• Empowered by context-rich, security-aware reviews directly in pull requests
• Inline explanations help build secure coding habits over time
• Know what’s safe to merge with clear guidance and fixes

Currently Supported Languages

• Golang (Go) - go.mod, go.sum
• Node.js (NPM) - package-lock.json, yarn.lock
• Python (PyPI) - requirements.txt, poetry.lock, pipfile.lock, uv.lock
• Java (Maven) - pom.xml, gradle.lockfile, buildscript-gradle.lockfile
• Ruby (RubyGems) - gemfile.lock
• Rust (Cargo) - cargo.lock
• HashiCorp Configuration Language (HCL)

Coming Soon

• .NET (Nuget)

Support

For support, feature requests, or feedback, contact our support team:

• Email: [email protected]
• Website: https://kusari.dev