Apache 2.0  ·  Python 3.11+

SBOMs are just dumb reports .....without depscore

Your SBOM tells you what's in your software.
depscore tells you how risky each of those dependencies actually is.

Quick Install ↓ View Docs →
Python 3.11+ License SBOM formats Claude Sonnet
~ zsh
The Problem

An SBOM is a manifest.
Not an answer.

  • You have 200 dependencies. Your SBOM lists all of them. None of them have a risk score.
  • That library last touched in 2019? Your SBOM just says it's there.
  • Log4Shell was in millions of SBOMs for months before anyone understood the risk.
"Your SBOM is basically a grocery receipt. A really long one. With zero nutritional information."
The Solution

depscore turns receipts into risk reports.

  • Every dependency scored 0–100 across 4 risk dimensions — automatically.
  • Real data from GitHub, OSV, OpenSSF Scorecard, and package registries.
  • Claude AI synthesizes signals into nuanced scores with written reasoning per package.
Output: JSON report + interactive HTML dashboard. No server required.

What depscore actually measures

Four dimensions. One overall score. Letter grade per dependency.

🛡️
Security Posture
35%
CVE history & severity, SECURITY.md presence, branch protection, signed commits, OpenSSF Scorecard.
OSV · OpenSSF · GitHub
🔧
Maintainability
30%
Commit recency & frequency, PR response time, bus factor (contributor concentration).
GitHub API
🌱
Maturity
20%
Version stability, project age, release cadence, download adoption across registries.
PyPI · npm · Maven · NuGet · Libraries.io
🌐
Community Health
15%
Contributor diversity, geographic & corporate concentration, SourceRank.
GitHub · Libraries.io
A  80–100
B  65–79
C  50–64
D  35–49
F  0–34

Three steps to a risk report

Works with any SBOM tool. Takes minutes, not weeks.

01
Generate your SBOM
Use Syft, Trivy, or any CycloneDX/SPDX-compatible tool to produce a JSON SBOM from your codebase or container image.
syft dir:. -o cyclonedx-json > sbom.json
02
Run depscore scan
depscore enriches every dependency in parallel — GitHub, OSV, Scorecard, registries — then scores with rules + Claude AI.
depscore scan --sbom sbom.json --html
03
Act on the report
JSON report + interactive HTML dashboard. Sort by risk, drill into CVEs, read AI reasoning per package. Know what to fix first.
open depscore-output/depscore-report.html

Powered by real data from 8 authoritative sources

depscore enriches every dependency before scoring — no guessing.

⚡ GitHub API 🔐 OpenSSF Scorecard 🐛 OSV Database 📦 Libraries.io 🐍 PyPI 📦 npm ☕ Maven Central 🟣 NuGet

Get started in 60 seconds

Requirements: Python 3.11+. Needs a GitHub token and Anthropic API key (or run --no-ai for free).

# Clone and install
git clone https://github.com/jaredmladner/depscore.git
cd depscore && pip install .

# Configure API keys
cp .env.example .env
# Edit .env: add GITHUB_TOKEN and ANTHROPIC_API_KEY

# Generate an SBOM with Syft, then score it
syft dir:. -o cyclonedx-json > sbom.json
depscore scan --sbom sbom.json --html
docker run --rm \
  -e GITHUB_TOKEN=$GITHUB_TOKEN \
  -e ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY \
  -v ./sbom.json:/sbom/sbom.json:ro \
  -v $(pwd)/report:/output \
  ghcr.io/jaredmladner/depscore:latest \
  scan --sbom /sbom/sbom.json --output /output --html
# No Anthropic key needed — free, fast, deterministic
depscore scan --sbom sbom.json --no-ai --html
💡 No Anthropic API key? Use --no-ai for free rules-based scoring with no AI cost.
💰 API cost estimate: ~$0.03–$0.05 for 10 deps · ~$0.30–$0.50 for 100 deps using claude-sonnet-4-6.