dKatchr

Open-source SCA scanner

Catch what your dependencies are hiding.

Scan GitHub orgs and repos across 8 package ecosystems, then enrich every finding with OSV, NVD, EPSS, and KEV data — before it ships.

View on GitHub

One scan, full picture

dKatchr walks your org's repos, resolves every dependency, and cross-references it against the sources that matter.

Multi-ecosystem scanning

npm, PyPI, Maven, Go, and more — 8 ecosystems, one scan, across whole GitHub orgs.

Vulnerability enrichment

Every finding cross-referenced against OSV, NVD, EPSS, and KEV — so severity reflects reality.

Malicious package detection

Typosquatting and dependency confusion checks catch what CVE feeds miss.

CLI-first workflow

Scriptable, CI-friendly, no dashboard required. Pipe results wherever you need them.

100% open source

The core engine and CLI are fully open.

No black box. Read the scan logic, run it yourself, or contribute a new ecosystem. It's all on GitHub.

github.com/dkatchr/dkatchr-core
$ pip install dkatchr
$ dkatchr -o results.csv --repos OWASP/NodeGoat --osv --attribution --typosquat
[+] OSV mode: ON   TTL: 86400s
[+] KEV mode: ON   TTL: 86400s
[+] OSV: 1087 unique tuples across all repos
[+] KEV: loaded 1637 CVEs from cache
[+] EPSS: loaded 346839 scores from cache
[✓] Done. repos=1  fix avail: 264
Soon

Something bigger is on the way.

For security teams who need more than a scanner. No details yet — just watch this space.