Know what's installed.
Know what's vulnerable.

pkgprobe scans your local filesystem for software projects, discovers every dependency — including transitive ones — and surfaces known vulnerabilities in seconds. Native macOS app. No cloud. No signup.

Download for macOS View Pricing
pkgprobe
my-app 47 deps
api-service 23 deps
backend 61 deps
my-app npm
NameVersionCVEsLicense
express4.18.20MIT
lodash4.17.201 HIGHMIT
axios1.6.02 MEDMIT
semver7.5.40ISC
pkgprobe — Vulnerabilities
CRITICAL CVE-2024-4068
braces@3.0.2
Regular expression denial of service in braces
Fix available: 3.0.3
HIGH CVE-2021-23337
lodash@4.17.20
Command injection via template
Fix available: 4.17.21
MEDIUM CVE-2023-45857
axios@1.6.0
CSRF token exposure via XSRF-TOKEN cookie
Fix available: 1.6.1
pkgprobe — Policy
FAIL — 3 violations
📄
License violation GPL-3.0 not in allowed_licenses node-gyp@10.0.1
License conflict GPL-3.0 dep in MIT project readline@1.3.0
🌐
Registry violation source_url not in allowed_registries internal-lib@2.1.0
pkgprobe — Export
CycloneDX 1.6 Industry-standard SBOM format (.cdx.json)
SPDX 2.3 Open standard for SBOMs (.spdx.json)
#
THIRD_PARTY_LICENSES.md Consolidated license notice for all dependencies 
# Third-Party Licenses for my-app

## MIT
- accepts
- axios
- express
- lodash
- semver

## ISC
- glob
- graceful-fs

Built for the local machine

Unlike cloud scanners that only see what's committed, pkgprobe scans what's actually installed — catching version drift, manual installs, and projects that aren't in git.

📦

Multi-ecosystem

Node.js (npm, yarn, pnpm), .NET (NuGet), PHP (Composer) — with Python, Java, Rust, Ruby, and Go on the roadmap.

Instant, offline scanning

No cloud dependency. Scans run locally in seconds. Vulnerability data is cached with configurable TTL.

🔒

Admin policy override

Deploy a system-level policy file that users cannot disable. The GUI shows it as read-only with "Managed by your organization".

📊

Structured audit logging

Every scan, policy evaluation, and config change is logged as structured JSON. Feed it into Splunk, Datadog, or any SIEM.

🌐

Registry enforcement

Ensure every dependency comes from an approved registry. Flag packages that bypassed your private Artifactory or mirror.

Scheduled scanning

Set an interval (1h, 4h, 12h, daily) and pkgprobe re-scans automatically — catching new CVEs as they drop.

Simple, transparent pricing

7-day free trial with all features. No credit card required.

Individual

For developers

GUI base price + add-ons
  • Native macOS app
  • Filesystem scanning
  • Vulnerability detection (OSV)
  • Scheduled scanning

Feature add-ons:

  • CLI unlock
  • SBOM export (CycloneDX + SPDX)
  • Policy enforcement
  • License compliance
  • Dependency graph
  • Registry enforcement
Start free trial

Enterprise

For security teams

Per-seat, annual contact us
  • Everything in Individual
  • Per-seat CLI licensing
  • Admin policy override
  • Machine activation (Keygen)
  • Support SLA

Feature packs:

  • Compliance pack — SBOM, policy, license, registry enforcement, audit
  • Developer pack — dep graph, scheduled scans, 1-click fix, typosquatting detection
Contact sales

Ready to see what's on your machine?

Download pkgprobe, point it at your dev directories, and get a full dependency inventory with vulnerability status in seconds.

Download for macOS View on GitHub

Requires macOS 14+. Windows and Linux coming soon.