MIT · zero-build MavenGradlenpmpnpm ComposerPyPINuGet GoRubyNative bins

Audit every dependency.No build. No leaks.

A polyglot CVE · EOL · outdated · license scanner that reads your source tree directly — no mvn, no npm install, no Docker. Findings merged from CVEProject, OSV, NVD & retire.js, prioritised with EPSS + CISA KEV, an audit-ready HTML & Word report (plus CycloneDX SBOM & CSAF VEX), and an air-gapped mode for confidential code.

$ get started ★ Star on GitHub
$npm i -g fad-checker && fad -s ./your-project

⚠️ Young project — expect rough edges. fad-checker is new and under active development, so it may still contain bugs (false positives / negatives). Treat its output as a strong first pass, double-check anything critical, and report issues — they get fixed fast.

fad-checker animated terminal demo: a [n/N] checklist warming each vulnerability database, then CVE results coloured by severity with KEV badges
One tool, one pass

Ten ecosystems + vendored JS + embedded JARs + native binaries

Point it at any checkout — multi-module, monorepo, polyglot. It parses manifests and lockfiles directly, and falls back to best-effort (pinned versions) when there's no lockfile.

Maven · pom.xmlGradle · build.gradle(.kts) + libs.versions.tomlnpm · package-lockYarn · v1 + Berry pnpm · v5/6/9Composer · composer.lockPyPI · poetry/uv/pdm/pip NuGet · .csproj/.fsproj/.vbprojGo · go.mod/go.sum Ruby · Gemfile.lockVendored JS · retire.js Embedded JARs · full inventory (ch.1B) Native bins · .dll/.so/.exe/.dylib
Why it's different

Built for audits, not just CI

01

No build, polyglot

Reads pom.xml, build.gradle & lockfiles across all ten ecosystems. No JDK, no install, no Docker — audit a checkout you can't even compile. It even cracks open committed .jar/.war/.ear binaries (fat-jars, shaded uber-jars) in-memory to scan the libraries shaded inside them.

02

Merged sources, fewer false positives

CVEProject + OSV.dev + NVD + retire.js, merged & deduped, then cross-checked against NVD CPE version ranges to filter noise.

03

Risk-based priority

Every CVE enriched with EPSS (FIRST.org exploit-prediction) and CISA KEV (known-exploited). A composite score puts exploited-in-the-wild first, not just the highest CVSS.

04

Beyond CVEs

Flags end-of-life (endoflife.date, with a Source column tracing each verdict to its mapping rule), deprecated / abandoned / yanked, outdated versions, and licenses (SPDX + copyleft policy) — signals most scanners skip.

05

Reports you can hand over

One self-contained HTML + Word-compatible .doc, organised by ecosystem and by the manifest that declares each dep, with per-tool fix recipes.

06

Exports & CI gating

Emit CycloneDX 1.6 SBOM, CSAF 2.0 VEX, flat JSON and SARIF 2.1.0 (GitHub/GitLab code scanning). Gate with --fail-on critical|kev; triage false-positives via --ignore / --vex.

07

Air-gapped

Export an anonymized descriptor (public coordinates only), enrich online, report offline. The confidential codebase never leaves the enclave.

08

Maven private-dep cleanup

Strip private/internal dependencies into a parallel tree of cleaned POMs, ready to feed straight into Snyk.

09

Native binaries, by checksum

Committed .dll/.exe/.so/.dylib (magic-byte confirmed — images/assets are never picked up) are identified by hash via deps.dev + CIRCL: flags tampered/unknown files and libraries that should be declared dependencies. No malware/AV lane.

10

Private registries & config files

Point it at private Nexus/Artifactory (Maven), Verdaccio/GitHub Packages (npm), devpi (PyPI), Gemfury (Ruby) or GOPROXY (Go) — tried first, public last, Basic or Bearer auth. Stash reusable defaults in .fad-env.json / --config or the FAD_CHECKER_ENV variable, and prune sub-paths with gitignore-style --exclude-path — every skipped directory is listed back in the report's Ignored directories appendix.

11

Unmanaged vendored JS, inventoried

Every standalone JS lib committed into the tree (jQuery, Bootstrap, PDF.js, …) that no package manager governs is inventoried — vulnerable or not (via retire.js --verbose). A cyber-hygiene constat on unknown-provenance third-party code, the JS twin of the native-binary scan.

The deliverable

An executive summary, then the detail

Severity tiles, a CVE table with a priority column (KEV / EPSS), CWE & fix versions, EOL / obsolete / outdated / license chapters, and a "likely false positives" appendix — all in a single file you can email.

fad-checker HTML report: executive summary with severity tiles and a detailed CVE table with CWE, descriptions and fix versions
cve-report.html — generated by fad -s ./project
Confidential by design

Scan online. Never expose the code.

The vuln databases need the network; your client's code does not. The scan splits in three — only public coordinates ever leave the secure machine. Caches are keyed by coordinate, so warming them online and replaying offline just yields cache hits.

Designed for any air-gapped / confidential review. The online box only ever sees lodash@4.17.21 — never your repository.

# 1 — OFFLINE (audited machine): export anonymized descriptor
fad -s ./proj -e "^(client|internal)\." --export-anonymized deps.json

# 2 — ONLINE (any box, no source): warm the caches
fad --import-anonymized deps.json
fad --export-cache fad-cache.tar.gz

# 3 — OFFLINE again: full report, real paths
fad --import-cache fad-cache.tar.gz
fad -s ./proj --offline
Honest positioning

Where it fits

Not a Trivy/Grype replacement — those own containers and continuous CI. fad-checker owns the zero-setup source audit with an air-gapped story (and now emits SBOM/VEX, flags licenses and prioritises by EPSS/KEV too).

Capabilityfad-checkerOSV-ScannerTrivyGrype+SyftOWASP DCSnyk OSS
Reads lockfiles without build~Javabuild
Best-effort without a lockfile~~
EOL detection~
Outdated / deprecated~
EPSS / KEV prioritization~
License compliance~~
SBOM / VEX export✓ CDX+CSAF~
HTML + Word reportjsonjsonjsonhtmlcloud
Air-gapped, code never exposed
Containers / OS packages~

² For pom.xml, every tool (fad-checker included) must reach Maven Central or use a build/SBOM to resolve transitives. The real "no build" edge is vs Snyk (needs a build) and OWASP DC (needs Maven Central for Java). Reach for Trivy or Grype+Syft for continuous CI, containers and SBOM pipelines.

Documentation

Everything is documented

Per-flag usage, internals, and the full source — all in the repo.

▸ README
Quick start, install, every supported manifest, the comparison table.
▸ Usage
Every flag and workflow: ecosystems, offline/cache, NVD key, Snyk, recipes.
▸ Architecture
Codecs, the resolved-deps map, matching tiers, the report pipeline.
▸ Changelog
Release history and what changed in each version.
 
# read-only full scan (default: all sources on)
fad -s ./proj

# pick ecosystems · go fully offline · skip the Maven Central queries
fad -s . --ecosystem maven,npm,pypi
fad -s . --offline

# write a cleaned POM tree (private deps stripped) for Snyk
fad -s ./proj -t ../pom-clean -e "^client\." --snyk