SBOM / dependencies
It-Depends
Dependency-graph and SBOM builder for packages and arbitrary source repositories.
View on GitHub
trailofbits/it-depends
Best for
Understanding third-party exposure before software ships.
Surface
SBOM / dependencies
Catalog group
Verify supply chains and enforce engineering policy
Repository
trailofbits/it-depends
From the README
It-Depends is a tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. It supports Go, JavaScript, Rust, Python, C/C++ (cmake and autotools), and Ubuntu packages.Read the full README on GitHub ↗
Related tools · Verify supply chains and enforce engineering policy
- rekor-monitor Transparency-log monitoring for Sigstore's Rekor so maintainers can watch for suspicious signing events.
- cargo-unmaintained Identifies unmaintained packages in Rust projects before they quietly become inherited risk.
- Dylint Runs custom Rust lints from dynamic libraries rather than a single fixed lint set.
- semgrep-rules Public Semgrep queries developed during audits, research, and internal engineering work.
- codeql-queries Public CodeQL query packs used to express deeper code and data-flow policies.