Supply Chain
Know what’s in your software.
Agents resolve your full dependency graph, catch malicious and vulnerable packages before they ship, and keep an audit-ready SBOM current — automatically.
How it works
Resolve. Inspect. Fix.
Resolve
Connect a repository and agents parse your lockfiles into the complete dependency graph — every direct and transitive package, across every ecosystem you ship.
Inspect
Each package is checked against malware intelligence, known advisories, and your license policy — then matched to whether your own code actually reaches it.
Fix
Every finding ships with the safe version and a pull request that bumps it, so you patch in one click and re-scan the graph instantly.
Why Parameter
The graph, not the guesswork.
Most supply chain tools hand you every advisory in the tree and call it coverage. Parameter only raises what an attacker can actually reach — and ships the fix with it.
Reachability, not a CVE dump
Most scanners flag every advisory in your tree. Parameter traces whether your code can actually reach the vulnerable path, so the queue is short and every entry is real.
Malware caught at install time
Install scripts, obfuscated payloads, and typosquats are inspected before they ever run in CI — the attacks that signature databases miss until it's too late.
An SBOM that never goes stale
A signed CycloneDX and SPDX inventory is regenerated on every push, so what you attest to your customers always matches what you actually shipped.
0
packages mapped in a single repo, direct and transitive
0%
of advisories filtered out as unreachable
0 min
from connecting a repo to a signed SBOM
Scanners
One platform. Your whole dependency tree.
Vulnerabilities ranked by what you run
Agents resolve the full graph and check every package against known advisories — then trace reachability, so a CVE buried in an unused transitive dependency never pages your team.
Coverage
Every ecosystem you ship.
JavaScript & TypeScript
npm, Yarn, pnpm, and Bun lockfiles.
Python
pip, Poetry, and uv with full transitive resolution.
Go
Go modules and go.sum, including replace directives.
Java & Kotlin
Maven and Gradle dependency trees.
Containers
Base images and OS packages in your Dockerfiles.
Rust, Ruby & PHP
Cargo, Bundler, and Composer manifests.
FAQ
Questions, answered.
Those tools alert on every advisory in your dependency tree and leave you to triage hundreds of them. Parameter resolves the full graph and traces reachability — it only raises a vulnerability when your code can actually reach the affected path, and every finding arrives with the safe version and a pull request attached.
Agents follow the call paths from your own source into each dependency. If nothing you ship ever invokes the vulnerable function, the advisory is filtered out of your queue and noted as unreachable rather than escalated. The result is a short list of risks that genuinely matter.
Both. Beyond known advisories, agents inspect install scripts and package contents for obfuscation, credential exfiltration, and typosquatting — the install-time attacks that have no CVE yet. Suspicious packages are blocked before they run in CI.
JavaScript/TypeScript (npm, Yarn, pnpm, Bun), Python (pip, Poetry, uv), Go, Java and Kotlin (Maven, Gradle), plus Rust, Ruby, and PHP. Container base images and their OS packages are scanned too.
It fixes them. Each finding ships with the minimal safe upgrade, opened as a pull request against your repository. You review, merge, and Parameter re-resolves the graph to confirm the risk is gone.
Yes. Parameter generates a signed, attested SBOM in CycloneDX and SPDX on every push, satisfying SOC 2, ISO 27001, and federal SBOM requirements. The same inventory powers your customer-facing trust center.
See your dependency graph in minutes.
Connect a repository and get a reachability-ranked queue, install-time malware detection, and a signed SBOM — with a fix attached to every finding.