Building ShipWatch: Captain's Log

Supply chain incidents like Log4Shell and the colors.js/faker.js event made the same problem obvious: teams rarely have a complete picture of what is inside their software.

Security tools often focus on a single dimension. Some scan CVEs. Others show GitHub maintenance signals. Few can unify everything into one actionable view.

ShipWatch was built to combine security, maintenance, and ecosystem health in one scan so teams can act quickly and confidently.

The data needed for dependency intelligence lives in multiple systems: GitHub for activity, OSV for vulnerabilities, and npm for ecosystem signals.

Coral makes this usable by letting you query those sources as one SQL layer. Instead of writing three API clients and a data-merge pipeline, you write one query and let Coral handle the rest.

That shift makes cross-source joins practical, which is the core capability ShipWatch depends on.

ShipWatch is a three-layer system: a Next.js frontend, a FastAPI backend, and the Coral runtime. The backend orchestrates the pipeline from dependency parsing to risk scoring.

The scan pipeline follows five steps: parse dependencies, enrich with Coral data, score risk, generate AI summaries for risky packages, and deliver results to the dashboard.

This structure keeps the system predictable and makes it easy to swap components or improve scoring without rewriting the UI.

Cross-source joins are the real superpower. The ability to ask "show me packages with critical CVEs and no maintenance" in a single query is not possible with traditional APIs.

Source specs are surprisingly ergonomic. Once the DSL pattern clicks, integrating a new API becomes a focused task instead of a major engineering effort.

Most importantly, supply chain risk is multidimensional. A safe system is not just one with fewer CVEs, but one with maintained dependencies and clear ownership.

If you are building a supply chain tool, start with data unification. Insights come from correlation, not isolated signals.

Automate the boring parts so teams can focus on decisions. The faster you can answer "where are we exposed," the better your response will be.

ShipWatch exists to make dependency visibility a default, not a special project. That is the only sustainable way to manage supply chain risk.