Software supply chain security has shifted from an enterprise luxury to a daily operational necessity. Modern applications are rarely written from scratch; they are assembled from hundreds of open-source packages sourced from various public registries. This reliance on external code introduces a silent vector for security risks, where a single compromised or vulnerable dependency can expose an entire infrastructure to exploitation. Developers need a fast, low-friction way to audit these dependencies before they make their way into production builds.

While major platforms offer built-in security alerts, these tools often run late in the development lifecycle or require deep integration into specific hosting platforms. Local development workflows benefit from immediate, pre-commit feedback. A tool that runs locally, supports multiple programming languages, and integrates with modern developer environments can bridge the gap between writing code and maintaining a secure dependency tree.

Enter Deptrust

Deptrust is a Go-based command-line interface (CLI) tool designed to scan software project dependencies for known security vulnerabilities. It acts as a local auditor, querying vulnerability databases to identify risks across a wide array of package managers. Instead of forcing developers to use different security tools for different programming languages, it consolidates this capability into a single executable.

What sets the tool apart is its versatility in how it can be consumed. Beyond operating as a standard CLI tool for terminal users, Deptrust functions as a Model Context Protocol (MCP) server. This allows AI assistants and LLM-powered development tools to directly query the utility for dependency security data. Additionally, it can be integrated as a pre-commit hook or utilized as a custom skill, making it highly adaptable to automated workflows.

Multi-Language Auditing and AI Integration

The most notable design choice in Deptrust is its broad ecosystem support. Rather than specializing in a single language, it targets almost every major package registry in use today. Supported platforms include:

  • Frontend and Node.js: npm
  • Python: PyPI
  • Rust: crates.io
  • Go: Go modules
  • Ruby: RubyGems
  • .NET: NuGet
  • Java: Maven
  • PHP: Packagist
  • Mobile and Systems: pub.dev, CocoaPods, Hex.pm, Hackage
  • CI/CD: GitHub Actions

By covering this breadth of registries, Deptrust serves as a single validation point for polyglot repositories where backend, frontend, and infrastructure-as-code elements coexist.

Another interesting architectural decision is the native MCP server implementation. As AI coding assistants increasingly generate and modify project configuration files, they need a mechanism to verify that the packages they suggest are safe. By running Deptrust as an MCP server, developers can grant their AI editors the ability to self-correct and avoid introducing outdated or vulnerable package versions during code generation.

The tool operates with minimal friction, scanning local lockfiles and manifest files to build a dependency tree, which it then cross-references against vulnerability feeds. Because it is written in Go, the compiled binary is self-contained and runs efficiently without requiring a heavy runtime environment like Node.js or Python on the host machine.

Limitations and Ecosystem Fit

While Deptrust is highly versatile, potential users should consider its current project maturity. With under 100 GitHub stars, it is a relatively young project in the cybersecurity utility space. It competes with established industry giants like Snyk, Aqua Security's Trivy, and OSV-Scanner by Google.

Unlike enterprise platforms that offer complex policy engines, reachability analysis, and automated pull requests for vulnerability remediation, Deptrust focuses on being a lightweight, local-first scanner. It does not feature a centralized web dashboard or team management controls. Organizations requiring complex compliance reporting might find it too minimal, but individual developers or small teams looking for a fast, zero-configuration local scanner will find its simplicity appealing. Furthermore, its reliance on external vulnerability databases means its accuracy is inherently tied to the upstream feeds it queries.

Getting Started

To run Deptrust, you need a working Go environment to build from source, or you can download a pre-compiled binary if available for your platform. The tool requires access to your project's manifest files (such as package-lock.json, go.mod, or requirements.txt) to parse and analyze dependencies. Detailed installation commands, shell completion configurations, and instructions on how to hook the utility into your MCP-compatible AI editors are documented thoroughly on the project's repository.

For developers seeking a fast, multi-language dependency scanner that fits into both terminal workflows and AI-assisted development environments, this Go-based utility offers a lightweight alternative to heavier enterprise scanners. You can explore the codebase, track development, or contribute to the project by visiting the deptrust GitHub repository.