Open source · Apache 2.0

Rank dependency updates by security impact.

verophi correlates your SBOM with open Renovate updates and ranks them by security impact.

View on GitHub
v0.1.0 Apache 2.0No telemetrySingle binary
$ verophi analyze --sbom sbom.json --gitlab-project acme/webapp
verophi dev sbom.json (CycloneDX 1.6) gitlab:acme/webapp
CVEs 32 C:4 H:18 M:8 L:2
CVE match 25/32
VIS 122 reducible: 84, remaining: 38
MRs 6 matched: 3, no match: 2, unparsed: 1
severity C critical H high M medium L low
note: MR VIS can overlap; reducible VIS counts matched CVEs once.
MERGE FIRST (by VIS, then VME)
1 !42 Pillow 9.0.0 -> 10.2.0 major VIS 30 VME 10.0
fixes 7 CVEs C:1 H:5 M:1 L:0
https://gitlab.com/acme/webapp/-/merge_requests/42
2 !38 actionpack 6.1.4 -> 6.1.7.8 patch VIS 28 VME 28.0
fixes 8 CVEs C:0 H:6 M:2 L:0
https://gitlab.com/acme/webapp/-/merge_requests/38
3 !51 express 4.17.1 -> 4.21.0 minor VIS 26 VME 13.0
fixes 10 CVEs C:0 H:4 M:4 L:2
https://gitlab.com/acme/webapp/-/merge_requests/51
CVEs WITHOUT A MATCHED MR (7)
SEV ID DEPENDENCY
C CVE-2024-51234 xmldom@0.6.0
C CVE-2026-40021 axios@0.21.1
+5 more (--verbose)
MRs WITHOUT A MATCHED CVE (2)
MR DESCRIPTION RISK
!44 chore(deps): pin dependencies pin
!47 chalk 4.1.0 -> 4.1.2 patch
MRs WITH NO CHANGES PARSED (1)
MR TITLE
!49 chore(deps): lock file maintenance

← scroll horizontally →

How to read it
  • Severity counts From the CycloneDX SBOM. verophi does not re-classify CVEs.
  • Verophi Impact Score (VIS):severity weight x fixed CVEs. Severity-weighted sum of advisories this update fully addresses.
  • Verophi Merge Efficiency (VME):VIS / merge risk tier. VIS divided by merge risk tier. Higher means more security value per unit of risk.
  • MR matching verophi correlates CVEs to MRs that already exist. No phantom recommendations.
  • Output:--format json. Human-readable by default. JSON for pipelines.

The gap between Trivy and Renovate

Trivy and Renovate solve different problems. Neither connects them.

Trivy finds CVEs, but doesn't tell you which open Renovate update fixes them.

Renovate creates updates, but doesn't tell you which ones are security-relevant.

Your team doesn't know which updates to merge first.

Three steps. No server required.

Drop it into CI, or run it locally against any SBOM file.

  1. Scan

    Generate a CycloneDX SBOM with Trivy or any compatible scanner.

    trivy fs --format cyclonedx --output sbom.json .
  2. Analyze

    verophi reads the SBOM, queries open Renovate updates, and matches CVEs to fixes.

    verophi analyze --sbom sbom.json \
      --gitlab-token $TOKEN \
      --gitlab-project 12345
  3. Merge

    Merge the top-ranked updates. Higher ranks fix more CVEs at lower risk.

    ↓ ranked by security impact

Local-first. No backend. No data leaves your CI.

verophi is a CLI you run yourself. It does not phone home.

A CLI you run yourself. No telemetry, no signup, no platform.

Open source

Apache 2.0. Audit the code yourself. No proprietary modules, no telemetry.

Runs locally

Single binary. No server, no account, no signup. Works offline once your SBOM is on disk.

API-only

Reads your SBOM file and queries GitLab/GitHub API. Nothing else.

Not a scanner. Not a platform. Just a CLI that helps you decide what to merge.

Example output

What verophi prints

Real output from the CLI, with the parts that matter for trust called out.

Severity counts

From the CycloneDX SBOM. verophi does not re-classify CVEs.

MR matching

verophi correlates CVEs to MRs that already exist. No phantom recommendations.

$ verophi analyze --sbom sbom.json --gitlab-project acme/webapp
verophi dev sbom.json (CycloneDX 1.6) gitlab:acme/webapp
CVEs 32 C:4 H:18 M:8 L:2
CVE match 25/32
VIS 122 reducible: 84, remaining: 38
MRs 6 matched: 3, no match: 2, unparsed: 1
severity C critical H high M medium L low
note: MR VIS can overlap; reducible VIS counts matched CVEs once.
MERGE FIRST (by VIS, then VME)
1 !42 Pillow 9.0.0 -> 10.2.0 major VIS 30 VME 10.0
fixes 7 CVEs C:1 H:5 M:1 L:0
https://gitlab.com/acme/webapp/-/merge_requests/42
2 !38 actionpack 6.1.4 -> 6.1.7.8 patch VIS 28 VME 28.0
fixes 8 CVEs C:0 H:6 M:2 L:0
https://gitlab.com/acme/webapp/-/merge_requests/38
3 !51 express 4.17.1 -> 4.21.0 minor VIS 26 VME 13.0
fixes 10 CVEs C:0 H:4 M:4 L:2
https://gitlab.com/acme/webapp/-/merge_requests/51
CVEs WITHOUT A MATCHED MR (7)
SEV ID DEPENDENCY
C CVE-2024-51234 xmldom@0.6.0
C CVE-2026-40021 axios@0.21.1
+5 more (--verbose)
MRs WITHOUT A MATCHED CVE (2)
MR DESCRIPTION RISK
!44 chore(deps): pin dependencies pin
!47 chalk 4.1.0 -> 4.1.2 patch
MRs WITH NO CHANGES PARSED (1)
MR TITLE
!49 chore(deps): lock file maintenance

Verophi Impact Score (VIS):

severity weight x fixed CVEs

Severity-weighted sum of advisories this update fully addresses.

Verophi Merge Efficiency (VME):

VIS / merge risk tier

VIS divided by merge risk tier. Higher means more security value per unit of risk.

$ verophi analyze --sbom sbom.json --gitlab-project acme/webapp
verophi dev sbom.json (CycloneDX 1.6) gitlab:acme/webapp
CVEs 32 C:4 H:18 M:8 L:2
CVE match 25/32
VIS 122 reducible: 84, remaining: 38
MRs 6 matched: 3, no match: 2, unparsed: 1
severity C critical H high M medium L low
note: MR VIS can overlap; reducible VIS counts matched CVEs once.
MERGE FIRST (by VIS, then VME)
1 !42 Pillow 9.0.0 -> 10.2.0 major VIS 30 VME 10.0
fixes 7 CVEs C:1 H:5 M:1 L:0
https://gitlab.com/acme/webapp/-/merge_requests/42
2 !38 actionpack 6.1.4 -> 6.1.7.8 patch VIS 28 VME 28.0
fixes 8 CVEs C:0 H:6 M:2 L:0
https://gitlab.com/acme/webapp/-/merge_requests/38
3 !51 express 4.17.1 -> 4.21.0 minor VIS 26 VME 13.0
fixes 10 CVEs C:0 H:4 M:4 L:2
https://gitlab.com/acme/webapp/-/merge_requests/51
CVEs WITHOUT A MATCHED MR (7)
SEV ID DEPENDENCY
C CVE-2024-51234 xmldom@0.6.0
C CVE-2026-40021 axios@0.21.1
+5 more (--verbose)
MRs WITHOUT A MATCHED CVE (2)
MR DESCRIPTION RISK
!44 chore(deps): pin dependencies pin
!47 chalk 4.1.0 -> 4.1.2 patch
MRs WITH NO CHANGES PARSED (1)
MR TITLE
!49 chore(deps): lock file maintenance
How to read it
  • Severity counts From the CycloneDX SBOM. verophi does not re-classify CVEs.
  • Verophi Impact Score (VIS):severity weight x fixed CVEs. Severity-weighted sum of advisories this update fully addresses.
  • Verophi Merge Efficiency (VME):VIS / merge risk tier. VIS divided by merge risk tier. Higher means more security value per unit of risk.
  • MR matching verophi correlates CVEs to MRs that already exist. No phantom recommendations.
  • Output:--format json. Human-readable by default. JSON for pipelines.
OutputHuman-readable by default. JSON with --format json for pipelines.
VIS
Verophi Impact Score
VME
Verophi Merge Efficiency

Get started in 30 seconds

Pick your CI. Paste. Done.

Three environments

  • GitLab CI uses CI_JOB_TOKEN, no extra secrets needed.
  • GitHub Actions works with the built-in GITHUB_TOKEN.
  • Local run against any repo. Useful before opening a CI integration PR.

All paths use the same ghcr.io/verophi/verophi-trivy image. Trivy + verophi in one layer.

verophi:
  image: ghcr.io/verophi/verophi-trivy:latest
  script:
    - trivy fs --format cyclonedx --scanners vuln --output sbom.json .
    - verophi analyze --sbom sbom.json \
        --gitlab-token $CI_JOB_TOKEN \
        --gitlab-project $CI_PROJECT_ID
verophi:
  image: ghcr.io/verophi/verophi-trivy:latest
  script:
    - trivy fs --format cyclonedx --scanners vuln --output sbom.json .
    - verophi analyze --sbom sbom.json \
        --gitlab-token $CI_JOB_TOKEN \
        --gitlab-project $CI_PROJECT_ID
What's next

We're exploring

  • Container update impact: rank image and chart updates by the CVEs they actually remove
  • Confidence-aware scoring: KEV/EPSS/CVSS/VEX as additive tie-breakers, uncertain matches flagged for review
  • Merge-first surfaces: ranked CI summary, sticky MR/PR comments, and priority/fixes/risk labels, read-only by default
  • Risk-trend metrics: Prometheus export of total and reducible impact per repository over time

Currently supports Renovate. Dependabot support is tracked based on demand. Vote on the GitHub issue.