Vekt

Supply Chain Threat Intelligence

Catch supply chain attacks
before they reach production.

Vekt scans 22 lockfile formats across 12 package ecosystems against real-time malicious package and vulnerability data. CLI, IDE, and browser extension.

Get Free API Key Read the Docs
CLI
IDE / LSP
Browser Extension
CI/CD
REST API

See it in action.

Real output from scanning 221 lockfiles across a production codebase.

vekt scan ~/projects
$ vekt scan ~/projects
Scanning 221 lockfiles in ~/projects ...
Querying OSV for 14,208 unique packages (69,419 total) ...
SCAN COMPLETE: 221 lockfiles | 69,419 packages | 1,702 findings
CRITICAL: 0 MALICIOUS package(s)
INFO: 1 security-holder placeholder(s)
WARNING: 3,872 known vulnerability(ies)
--> package-lock.json (npm)
HOLDER MAL-2025-21003 [email protected]
registry placeholder, remove from dependencies
--> uv.lock (PyPI)
VULN GHSA-5239-wwwm-4pmq [email protected]
Ecosystems: PyPI, npm, crates.io, Go, Packagist, SwiftURL
Run time: 46.1s
What Vekt detects

Three layers of
supply chain defense.

Malicious Packages

Detects confirmed malicious packages flagged with MAL-* advisories from the OSSF malicious-packages database. Credential stealers, crypto miners, backdoors.

MALICIOUS MAL-2025-21003 [email protected]

Known Vulnerabilities

Queries OSV.dev for CVEs, GHSAs, PYSECs, and RustSec advisories across all 12 ecosystems. Real-time data, not a monthly snapshot.

VULN GHSA-xxxx-yyyy [email protected]

Typosquat Detection

Flags packages whose names closely resemble popular packages. Levenshtein distance, character substitution patterns, and scope confusion detection.

TYPOSQUAT Did you mean 'requests'?
Works everywhere

One scanner.
Every surface.

CLI

Scan lockfiles from the terminal. JSON output for scripts and CI. 3.7MB binary, zero dependencies.

IDE / LSP

Yellow squiggles on vulnerable deps, red on malicious. Hover for details, quick-fix to update. Every editor via LSP.

Browser Extension

Trust badge on npm, PyPI, crates.io, and 7 more registries. See maintainers, version history, and provenance before you install.

CI/CD

Block PRs that introduce new vulnerabilities. SARIF output for GitHub Advanced Security. Exit codes for pipelines.

REST API

POST a lockfile, get findings. Per-scan pricing that no one else offers. JSON response, rate limit headers, API key auth.

Fast

69,419 packages scanned in 46 seconds. Parallel parsing, package deduplication, OSV batch API. Rust binary, not a wrapper script.

12 ecosystems. 22 formats.

Every major package manager, parsed natively in Rust.

npm npm
PyPI PyPI
crates.io crates.io
Go Go
RubyGems RubyGems
Packagist Packagist
NuGet NuGet
Pub Pub
Swift Swift
Hex Hex
Hackage Hackage
CRAN CRAN
uv.lockrequirements.txtpoetry.lockPipfile.lockpackage-lock.jsonbun.lockyarn.lockpnpm-lock.yamlCargo.lockgo.sumGemfile.lockcomposer.lockpubspec.lockPackage.resolvedmix.lockrebar.lockpackages.lock.jsoncabal.project.freezestack.yaml.lockrenv.lockpdm.lockpixi.lock

Simple pricing.

Per-scan API pricing. No seat-based licensing.

Vekt Free Tier

Free

$0

50 scans per day

  • All 12 ecosystems
  • 22 lockfile formats
  • JSON + human output
  • CLI + API access
Get free key
Most popular
Vekt Pro Tier

Pro

$9 /mo

5,000 scans per month

  • Everything in Free
  • Trust scoring
  • Webhook alerts
  • Priority support
Start Pro
Vekt Team Tier

Team

$29 /mo

25,000 scans per month

  • Everything in Pro
  • Team dashboard
  • Priority API
  • README badge
Start Team

Overage: $0.005/scan beyond your plan limit. Full pricing details

Start scanning for free.

50 scans per day. No credit card. Install the CLI or hit the API -- your dependencies deserve a second opinion.

Get your API key Quickstart guide