Live scanning
See risks appear in real time
Server sent events stream every package as it is analyzed so teams can follow progress without waiting for the full scan to finish.
- Streaming status updates for every dependency
- Progress bar and live risk distribution
- Demo friendly sharing by scan id
Scan stream
Risk scoring
CVSS grounded scoring with confidence
Security, maintenance, and ecosystem signals roll into a 0-10 score with a confidence badge so teams know when to dig deeper.
- CVSS numeric extraction from OSV
- OpenSSF Scorecard health signals
- Confidence indicator for missing data
Score breakdown
Fix recommendations
Actionable fixes your team can ship
Copy ready upgrade commands and safe version guidance keep remediation steps short and clear.
- Copy paste upgrade commands
- Recommended safe versions
- Context on breaking changes
Fix card
GitHub issues
Turn findings into tracked work
Generate GitHub issues with context, owners, and fix guidance so the right team can act quickly.
- Pre filled issue templates
- Attach scan metadata
- Assign to repo owners
Issue template
Policy engine
Define what is allowed to ship
Set thresholds for risk, maintenance, and license signals so teams can enforce policy consistently.
- Block critical risk packages
- Alert on low maintenance scores
- License conflict detection
Policy rule
SBOM export
Compliance ready SBOMs
Export CycloneDX SBOMs to meet compliance, procurement, and audit requirements.
- CycloneDX JSON export
- One click download
- Attach to release workflows
SBOM export
CI gate
Protect every release
Drop a GitHub Action into your pipeline and block releases that exceed your risk threshold.
- Fail the build on high risk
- Export reports into artifacts
- Send results to Slack
Action snippet
MCP integration
Query scans from your editor
Use the ShipWatch MCP server to explore scan data from your IDE or AI assistant.
- Ask questions about dependencies
- Filter by risk or license
- Export findings on demand
MCP query