Dependencies

Track third-party package vulnerabilities across the repos your agent watches, with advisories surfaced alongside the dependency graph that pulled them in.

Overview

Cygent's Dependencies tab is a separate pipeline from CARA findings. Findings come from auditing your own code; advisories come from public security feeds matched against the dependency manifests of the repos your agent watches.

Open the Dependencies tab on an instance to see it: a repo sidebar on the left, an advisories panel on the right, and an optional dependency visualization (tree or treemap) for tracing how a vulnerable package ended up in your project.

Supported ecosystems

EcosystemAdvisories
npmyes
pypiyes
cargoyes
goyes
foundry-libyes
aptos-moveinventory only
sui-moveinventory only

For aptos-move and sui-move, Cygent parses your manifests and renders the dependency graph, but no advisory feed covers those ecosystems yet — so you'll see what's installed without advisories attached.

When scans happen

TriggerScope
WeeklyEvery selected repo on the instance is rescanned automatically once a week
Manual rescanClick Rescan on a repo in the Dependencies tab — useful after bumping a package
Repo addA newly added repo gets scanned automatically
GitHub pushA push that changes a manifest triggers a partial rescan of the affected paths

If you've just heard about a CVE you suspect affects you and don't want to wait for the next weekly run, hit Rescan to pull the latest advisories immediately.

Advisory states

StateMeaning
OpenActive, in your work queue. The default state for a freshly matched advisory.
AcknowledgedYou've seen it. Still open, just visually separated from the "new" pile.
ResolvedThe affected version is no longer present (auto-resolved on the next scan) or you marked it resolved manually.
Dismissed / won't fixYou consciously chose not to act on it. Terminal unless the advisory re-matches later, in which case it reopens.

If a previously resolved or dismissed advisory matches again on a later scan, it reopens — the prior closed state means you made a deliberate decision, so a new match is worth surfacing.

What an advisory tells you

Click any row in the advisories panel to open the detail drawer:

FieldWhat it shows
Title + identifierThe CVE/GHSA/source id and a short title
SeverityCritical / High / Medium / Low — taken from the upstream source
Affected package + rangeThe package name and which versions are vulnerable
Suggested fixThe fixed version (when published by upstream)
Affected pathsFor every manifest where the bad version is pulled in: the manifest path, whether the package is a direct or transitive dep, and the parent chain
Event logHistory for this advisory — when it was first detected, when it was re-detected, reopened, resolved, or notifications were sent
💡

For transitive dependencies, the parent chain matters more than the package name. A critical in a 6-deep transitive often isn't worth a midnight page — switch to the Visuals sub-tab and look at the tree before you escalate.

Acting on advisories

From the advisories panel:

ActionWhen to use
AcknowledgeYou've triaged it and you're going to fix it on your cadence, not right now
Dismiss / mark won't fixYou've decided this isn't a real risk for your protocol (e.g., the affected code path isn't reachable). Include a reason — it shows up in the event log
ReopenYou dismissed something earlier and want it back in the work queue

Resolution usually happens passively: bump the package, push, and the next scan won't find the bad version any more — Cygent auto-resolves the advisory and posts a resolution notification (if you've enabled the resolved message type for that channel).

Visualizing the dependency graph

The Visuals sub-tab on the Dependencies page offers two views over the parsed manifest:

  • Tree — collapsible hierarchy, useful for "where does this transitive come from?"
  • Treemap — proportional surface area by some weight (dep count, advisory severity). Useful for at-a-glance "where's the risk concentrated?"

Click any node in either view to open the cell inspector — package metadata, the manifest path that pulled it in, advisories on that exact node.