Deep Dependency Scanning

Most SCA tools stop at dependency depth 50-60. Real applications have transitive chains that go much deeper — and attackers know that. Safeguard scans to depth 100 levels, which is enough to reach the bottom of every real-world production codebase we've seen.

Why Depth Matters

Consider a typical Node.js service:

• your-app → 30 direct dependencies
• Each direct → 5-15 transitive → ~300 packages at level 2
• Level 3: ~1,500 packages
• Level 4-6: tens of thousands of unique components
• Level 7+: long tail — utility packages, build tools, shims

The vulnerable code in a real attack — SolarWinds SUNBURST, the xz-utils backdoor, many npm malware campaigns — was almost always several levels deep. Tools that only scan shallow trees missed them.

What Safeguard Does

Safeguard walks every edge in the resolved dependency graph up to level 100. At each node:

• Resolves purl and version against the vulnerability knowledge graph.
• Computes license and provenance.
• Feeds the node into reachability analysis (see Reachability).
• Captures the full path from root to leaf so you can trace why a dependency is present.

Performance optimizations:

• Shared subgraphs are deduplicated (a library used by 100 dependencies is resolved once, not 100 times).
• Negative caches for "no known vulnerabilities" paths.
• Feed-driven rescoring so depth 100 scans don't re-traverse on every CVE update.

Typical scan times:

• Small project (< 500 nodes): < 1 second
• Medium project (5,000 nodes): 3-5 seconds
• Large monorepo (50,000+ nodes): 15-45 seconds

Supported Ecosystems

Deep scanning works across:

• npm / pnpm / Yarn — resolves workspaces, peer deps, optional deps.
• PyPI — resolves requirements.txt, pyproject.toml, Pipfile, uv.lock, poetry.lock.
• Maven / Gradle — resolves pom.xml, build.gradle, lockfiles.
• Go modules — resolves go.mod and go.sum.
• Cargo — resolves Cargo.toml and Cargo.lock.
• NuGet — resolves packages.lock.json and .csproj.
• Composer — resolves composer.lock.
• Ruby Bundler — resolves Gemfile.lock.
• Container layers — reads binaries and package metadata inside layers.

Transitive Path Visualization

In the ESSCM UI, click a finding to see the full transitive path:

your-app
  └─ @company/tools @2.1.0
     └─ lodash @4.17.21      ← vulnerable here (CVE-2021-23337)

The UI explains:

• The chain of imports that pulls in the vulnerable package.
• Whether the chain is reachable (from reachability analysis).
• Whether any alternative path exists.
• What the safe version would be, and what other transitive changes that version would introduce.

Dependency-Confusion Detection

Deep scanning cross-references every resolved package against:

• Your internal package registries.
• The top-N public registries.
• Known typosquat patterns (via Eagle, see AI Models).

If a public package masquerades as an internal one, or an install pulled from the wrong registry, you get a finding tagged dependency-confusion.

Unused Dependency Detection

Deep scanning also produces a reverse signal: packages present in your dependency tree but never imported. These are candidates for removal — every removed package reduces attack surface without code changes.

Run:

safeguard deps unused --project my-api

Policy Hooks

Depth is available as a policy signal:

rules:
  - id: no-dep-below-level-50
    condition: any(components, depth > 50 AND vulnerabilities.critical > 0)
    effect: BLOCK

Or enforce a maximum total depth for new additions:

  - id: warn-on-deepening
    condition: delta.max_depth > prev.max_depth + 10
    effect: WARN

API

safeguard scan --project my-api --depth 100
safeguard graph query --cypher "MATCH p=(a {name:'my-api'})-[:DEPENDS*..100]->(b {name:'lodash'}) RETURN p"

Comparison With Other Tools

Depth alone isn't the goal — the goal is not missing CVEs that hide deep. 40 extra levels catches the edge cases that real supply chain attacks exploit.

Related

• Reachability Analysis — combine depth with call-graph filtering.
• Continuous Scanning — scans re-run on every feed update.
• Vulnerabilities — the UI surface for findings.
• OSM — open-source intelligence over the dependency graph.