Dependencies
Track third-party package vulnerabilities across the repos your agent watches, with advisories surfaced alongside the dependency graph that pulled them in.
Overview
Cygent's Dependencies tab is a separate pipeline from CARA findings. Findings come from auditing your own code; advisories come from public security feeds matched against the dependency manifests of the repos your agent watches.
Open the Dependencies tab on an instance to see it: a repo sidebar on the left, an advisories panel on the right, and an optional dependency visualization (tree or treemap) for tracing how a vulnerable package ended up in your project.
Supported ecosystems
| Ecosystem | Advisories |
|---|---|
| npm | yes |
| pypi | yes |
| cargo | yes |
| go | yes |
| foundry-lib | yes |
| aptos-move | inventory only |
| sui-move | inventory only |
For aptos-move and sui-move, Cygent parses your manifests and renders the dependency graph, but no advisory feed covers those ecosystems yet — so you'll see what's installed without advisories attached.
When scans happen
| Trigger | Scope |
|---|---|
| Weekly | Every selected repo on the instance is rescanned automatically once a week |
| Manual rescan | Click Rescan on a repo in the Dependencies tab — useful after bumping a package |
| Repo add | A newly added repo gets scanned automatically |
| GitHub push | A push that changes a manifest triggers a partial rescan of the affected paths |
If you've just heard about a CVE you suspect affects you and don't want to wait for the next weekly run, hit Rescan to pull the latest advisories immediately.
Advisory states
| State | Meaning |
|---|---|
| Open | Active, in your work queue. The default state for a freshly matched advisory. |
| Acknowledged | You've seen it. Still open, just visually separated from the "new" pile. |
| Resolved | The affected version is no longer present (auto-resolved on the next scan) or you marked it resolved manually. |
| Dismissed / won't fix | You consciously chose not to act on it. Terminal unless the advisory re-matches later, in which case it reopens. |
If a previously resolved or dismissed advisory matches again on a later scan, it reopens — the prior closed state means you made a deliberate decision, so a new match is worth surfacing.
What an advisory tells you
Click any row in the advisories panel to open the detail drawer:
| Field | What it shows |
|---|---|
| Title + identifier | The CVE/GHSA/source id and a short title |
| Severity | Critical / High / Medium / Low — taken from the upstream source |
| Affected package + range | The package name and which versions are vulnerable |
| Suggested fix | The fixed version (when published by upstream) |
| Affected paths | For every manifest where the bad version is pulled in: the manifest path, whether the package is a direct or transitive dep, and the parent chain |
| Event log | History for this advisory — when it was first detected, when it was re-detected, reopened, resolved, or notifications were sent |
For transitive dependencies, the parent chain matters more than the package name. A critical in a 6-deep transitive often isn't worth a midnight page — switch to the Visuals sub-tab and look at the tree before you escalate.
Acting on advisories
From the advisories panel:
| Action | When to use |
|---|---|
| Acknowledge | You've triaged it and you're going to fix it on your cadence, not right now |
| Dismiss / mark won't fix | You've decided this isn't a real risk for your protocol (e.g., the affected code path isn't reachable). Include a reason — it shows up in the event log |
| Reopen | You dismissed something earlier and want it back in the work queue |
Resolution usually happens passively: bump the package, push, and the next scan won't find the bad version any more — Cygent auto-resolves the advisory and posts a resolution notification (if you've enabled the resolved message type for that channel).
Visualizing the dependency graph
The Visuals sub-tab on the Dependencies page offers two views over the parsed manifest:
- Tree — collapsible hierarchy, useful for "where does this transitive come from?"
- Treemap — proportional surface area by some weight (dep count, advisory severity). Useful for at-a-glance "where's the risk concentrated?"
Click any node in either view to open the cell inspector — package metadata, the manifest path that pulled it in, advisories on that exact node.