Prune your Dependabot Alerts
Stop wasting time on unreachable vulnerabilities. Focus on the risk that really matters.
Get Started
False-positives are costing you money
Every Dependabot alert looks important, but most of them are unreachable. Be it from a function that isn't ever called, hardcoded safe parameters or a multitude of other reasons, some vulnerabilities can never actually be exploited.
Despite this, developers waste hours triaging and fixing these issues leading to increased costs, missed features, delayed releases, and frustrated engineers.
Vulnprune cuts through the noise by automatically dismissing false positives in JavaScript and TypeScript packages, so your security team sees what truly matters and your developers get back to building. No manual steps, we do all the work while you sit back and relax.
Features
Fire and Forget
Fire and Forget
Install it once and walk away. Vulnprune runs in the background without dashboards, configs, or manual steps.
Auditable Changes
Auditable Changes
Every dismissed alert includes a detailed explanation with links to the exact rules applied, so you always know why.
Reduce Noise
Reduce Noise
Cut through the clutter and focus only on the vulnerabilities that genuinely put your project at risk.
Save Time
Save Time
Stop spending hours triaging false positives. Get your team back to shipping features that matter.
How it works
We read the dependency lockfiles in your codebase, and with it create a dependency graph, marking the paths to the vulnerable component.
We compare it with pre-defined rules that we created, and prune the paths that match with the rule.
If all the paths are pruned, the alert is closed.
Frequently asked questions
- Will it hide real vulnerabilities?
- If an alert is deemed a unreachable and closed, Vulnprune will leave a comment in the alert, with links to the rules used to reach that conclusion. Furthermore, if a rule has been deemed inaccurate by us and deleted, all alerts closed by it will automatically reopen.
- Which languages and package ecosystems are supported?
- Currently Vulnprune supports JavaScript and TypeScript projects using npm, yarn, or pnpm. Support for additional ecosystems is on the roadmap.
- Does it work with private repositories?
- Yes!
- What languages are supported?
- Currently focused on JavaScript and TypeScript. More coming soon. Do you want a specific language to be supported? Please leave a message in our contact section, so that we can prioritize it if enough people ask for it!