Pencheff combines deterministic scanners, AI-guided probes, curated payloads, external tools, and evidence normalization so every signal lands in one remediation workflow.
Supply chain
Dependency intelligence
Fixed versions, exploitability, reachability, EPSS, KEV, SSVC, licenses, and advisory enrichment.
Findings, reports, dashboards, exports, integrations, and retests all read from the same normalized record.
Pencheff favors repeatable checks, then uses AI for triage, enrichment, orchestration, and remediation where it adds signal.
Coverage
What does Dependency intelligence test?
- Fixed versions, exploitability, reachability, EPSS, KEV, SSVC, licenses, and advisory enrichment.
- This page is part of Capabilities under Code And Supply Chain.
- It links back into the broader from live exploits to source-code proof experience.
- OSV.dev, NVD 2.0, GitHub Advisory Database, RustSec, GoVulnDB, EPSS, CISA KEV, and SSVC enrichment.
- Manifest support for npm, PyPI, Go modules, Cargo, Ruby, Composer, Maven, OS packages, and container packages.
- SPDX 2.3 and CycloneDX 1.5 SBOM generation with optional Syft enrichment.
- Reachability annotation that separates exploited, reachable, present, and unknown risk.
- License policy checks and deterministic version-bump remediation for eligible dependencies.
Execution
How does Pencheff run this?
- Parse repository manifests, lockfiles, or container package inventories.
- Resolve packages to advisories, fixed versions, package URLs, and known exploitation signals.
- Annotate reachability from imports, call paths, runtime evidence, or scanner context.
- Generate SBOM output and link component rows back to findings.
- Prioritize remediation by exploitability, reachability, business criticality, and compliance impact.
Evidence
What evidence does this produce?
- Package name, ecosystem, installed version, fixed version, advisory id, CVSS, EPSS, KEV, and SSVC.
- SBOM component records with PURL, supplier, version, license, and dependency relationships.
- Reachability state, import evidence, or reason the vulnerable component is currently only present.
- Audit appendix output for procurement, compliance, and release records.
Controls
How is this kept safe to run?
- Dependency risk is not sorted by CVSS alone; operational signals influence priority.
- SBOM generation is repeatable and latest-generation output replaces stale records.
- License and vulnerability policy can be used as release-gate input.
- Version-bump fixes are deterministic when advisory metadata supports them.
Documentation
Read the full reference.
FAQ
Common questions
- What is dependency intelligence and how is it different from basic SCA?
- Dependency intelligence extends SCA with reachability analysis, EPSS exploit probability scoring, and CISA KEV enrichment. Rather than listing every CVE in every dependency, it identifies which vulnerabilities are reachable by your application code and are actively exploited in the wild.
- What is reachability analysis in dependency scanning?
- Reachability analysis determines whether your application actually calls the vulnerable code path in a dependency. A CVE in a library function you never call is low risk; one in a function your hot path invokes is high risk. Reachability reduces alert fatigue by surfacing only the CVEs that matter.
- What is EPSS and why does it matter for vulnerability prioritisation?
- EPSS (Exploit Prediction Scoring System) is a daily-updated probabilistic score for each CVE that estimates the likelihood of exploitation in the next 30 days. Combined with CVSS severity, it helps prioritise which vulnerabilities to fix first based on real-world attacker behaviour.
Related