Cyber Tool Stack
All tools
SCAOpen source · Apache-2.0

OWASP Dependency-Check

Community project

A free command-line and build-plugin SCA tool that matches project dependencies against the National Vulnerability Database and other feeds. Led by its original creator, it remains actively released, though its canonical repository moved to a new GitHub organization in 2025 after years under the maintainer's personal account.

Verified Source: 1

Product type
Community project
Deployment
CLI
Organization size
IndividualSMBMid-marketEnterprise
Pricing tier
Free

Capability checklist

SCA

How OWASP Dependency-Check measures up against the full Software Composition Analysis & Supply Chain Security taxonomy.

Dependency vulnerability scanning — supported
Flags known CVEs in direct and transitive open-source dependencies.
License compliance — not supported
Detects and enforces policy on open-source license obligations.
SBOM generation — supported
Produces standardized SPDX or CycloneDX software bills of materials.
Malicious package detection — not supported
Flags typosquatting and known-malicious packages in the dependency chain.
CI/CD gating — not supported
Blocks builds or pull requests that introduce new vulnerable or noncompliant packages.
Reachability analysis — not supported
Determines whether a vulnerable code path is actually invoked, to cut noise from unused code.
IaC & container config scanning — not supported
Scans infrastructure-as-code templates and container configurations for misconfigurations alongside application code.

Alternatives

Other Software Composition Analysis & Supply Chain Security tools with overlapping capabilities, sized for similar teams.

Appears in stacks

Real-world stacks that include OWASP Dependency-Check.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.