Saved in:
Bibliographic Details
Main Authors: Ruckman-Utting, Henry, Nedungadi, Vrushal, Okuma, Taiga, Wang, LeTian, Ehebald, Stephen, Tayebi, Mohammad A.
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.00179
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917452241174528
author Ruckman-Utting, Henry
Nedungadi, Vrushal
Okuma, Taiga
Wang, LeTian
Ehebald, Stephen
Tayebi, Mohammad A.
author_facet Ruckman-Utting, Henry
Nedungadi, Vrushal
Okuma, Taiga
Wang, LeTian
Ehebald, Stephen
Tayebi, Mohammad A.
contents Open-source software (OSS) dependencies introduce systemic risks that are difficult to manage at scale. Existing Software Composition Analysis (SCA) and reachability tools generate severe alert fatigue by treating risk as an intrinsic component property, ignoring semantic context and forcing enterprises into rigid compliance frameworks. We present Deptex, an organization-first, graph-based platform treating supply chain risk as emergent. Deptex introduces Execution Path Dominance (EPD), fusing Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to calculate a vulnerability's true operational blast radius. To handle bespoke compliance, Deptex abstracts governance into a programmable ``As Code'' engine, enabling security teams to natively enforce dynamic pull request policies, custom asset tiers, and external API integrations. By shifting from reactive scanning to context-aware governance, Deptex enables proactive, efficient, and aligned supply chain risk management.
format Preprint
id arxiv_https___arxiv_org_abs_2605_00179
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle DEPTEX: Organization-First, Open Source Dependency Risk Monitoring
Ruckman-Utting, Henry
Nedungadi, Vrushal
Okuma, Taiga
Wang, LeTian
Ehebald, Stephen
Tayebi, Mohammad A.
Software Engineering
Open-source software (OSS) dependencies introduce systemic risks that are difficult to manage at scale. Existing Software Composition Analysis (SCA) and reachability tools generate severe alert fatigue by treating risk as an intrinsic component property, ignoring semantic context and forcing enterprises into rigid compliance frameworks. We present Deptex, an organization-first, graph-based platform treating supply chain risk as emergent. Deptex introduces Execution Path Dominance (EPD), fusing Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to calculate a vulnerability's true operational blast radius. To handle bespoke compliance, Deptex abstracts governance into a programmable ``As Code'' engine, enabling security teams to natively enforce dynamic pull request policies, custom asset tiers, and external API integrations. By shifting from reactive scanning to context-aware governance, Deptex enables proactive, efficient, and aligned supply chain risk management.
title DEPTEX: Organization-First, Open Source Dependency Risk Monitoring
topic Software Engineering
url https://arxiv.org/abs/2605.00179