SecurityPlugin

Dependicus ships with SecurityPlugin, which queries public vulnerability databases and enriches your dependency dashboard with security findings. It adds columns for severity, fix availability, and advisory details, and attaches security context to Linear and GitHub issue tickets.

Data sources

SecurityPlugin supports three data sources, each enabled independently:

• OSV (osv.dev) -- Queries the OSV batch API to find known vulnerabilities for each dependency version. Uses CVSS vectors (v3.0, v3.1, v4.0) to compute severity scores. Supports npm, PyPI, Go, and Cargo ecosystems.

• deps.dev (deps.dev) -- Checks deprecation status and optionally fetches transitive dependency counts. Useful for flagging abandoned packages. Supports npm, PyPI, Go, and Cargo ecosystems.

• GitHub Advisory Database -- Queries the GitHub Advisory API for security advisories affecting each dependency version. Supports npm, pip, Go, and Rust ecosystems. Uses GITHUB_TOKEN when available for higher rate limits.

Each source writes SecurityFinding objects into FactStore, keyed by dependency name and version. When multiple sources are enabled, findings from all sources are merged and deduplicated by advisory ID.

Programmatic setup

For custom cache TTLs, selective dependency counts, or other options beyond what the CLI flag provides, instantiate SecurityPlugin directly:

import { dependicusCli, SecurityPlugin } from 'dependicus';

void dependicusCli({
    repoRoot,
    plugins: [
        new SecurityPlugin({
            osv: true,
            depsdev: true,
            githubAdvisory: true,
        }),
    ],
}).run(process.argv);

Pass true for default settings, or pass a config object to customize behavior:

new SecurityPlugin({
    osv: { batchSize: 500, vulnCacheTtlDays: 3 },
    depsdev: { includeDependencies: false, cacheTtlDays: 14 },
    githubAdvisory: { cacheTtlDays: 1 },
});

Caching

All three sources use CacheService for persistent caching to avoid redundant API calls across runs. The plugin receives the cache via the init(ctx) lifecycle hook, so no manual wiring is needed. Cache TTL is configurable per source (default: 7 days for all three).

Table columns

When enabled, SecurityPlugin adds four columns to the HTML dashboard:

All columns support filtering. Severity and Fix Available use dropdown filters; Security uses free-text search.

Ticket integration

SecurityPlugin contributes descriptionSections to both Linear and GitHub issue specs. When findings exist for a dependency version, the ticket description includes:

• Security summary -- severity, CVSS score, advisory count, fix availability, maintenance posture
• Advisories -- deduplicated list of advisory IDs with summaries, severity, CVSS scores, and fix status, linked to their source URLs
• Why this matters -- non-advisory rationale (deprecation, transitive dependency counts)

These sections are appended to any sections from other plugins (like BasicCompliancePlugin).

Grouping detail pages

SecurityPlugin also provides getSections for grouping detail pages (e.g. per-team rollup pages). The security section shows counts of dependencies with advisories, how many have fixes available, and how many are clean.

Configuration reference

SecurityPluginConfig

OsvConfig

DepsDevConfig

GitHubAdvisoryConfig