Rank dependency updates by security impact.
verophi correlates your SBOM with open Renovate updates and ranks them by security impact.
View on GitHub$ verophi analyze --sbom sbom.json --gitlab-project acme/webappverophi dev sbom.json (CycloneDX 1.6) gitlab:acme/webappCVEs 32 C:4 H:18 M:8 L:2CVE match 25/32VIS 122 reducible: 84, remaining: 38MRs 6 matched: 3, no match: 2, unparsed: 1severity C critical H high M medium L lownote: MR VIS can overlap; reducible VIS counts matched CVEs once.MERGE FIRST (by VIS, then VME)1 !42 Pillow 9.0.0 -> 10.2.0 major VIS 30 VME 10.0fixes 7 CVEs C:1 H:5 M:1 L:0https://gitlab.com/acme/webapp/-/merge_requests/422 !38 actionpack 6.1.4 -> 6.1.7.8 patch VIS 28 VME 28.0fixes 8 CVEs C:0 H:6 M:2 L:0https://gitlab.com/acme/webapp/-/merge_requests/383 !51 express 4.17.1 -> 4.21.0 minor VIS 26 VME 13.0fixes 10 CVEs C:0 H:4 M:4 L:2https://gitlab.com/acme/webapp/-/merge_requests/51CVEs WITHOUT A MATCHED MR (7)SEV ID DEPENDENCYC CVE-2024-51234 xmldom@0.6.0C CVE-2026-40021 axios@0.21.1+5 more (--verbose)MRs WITHOUT A MATCHED CVE (2)MR DESCRIPTION RISK!44 chore(deps): pin dependencies pin!47 chalk 4.1.0 -> 4.1.2 patchMRs WITH NO CHANGES PARSED (1)MR TITLE!49 chore(deps): lock file maintenance
← scroll horizontally →
- Severity counts From the CycloneDX SBOM. verophi does not re-classify CVEs.
- Verophi Impact Score (VIS):
severity weight x fixed CVEs. Severity-weighted sum of advisories this update fully addresses. - Verophi Merge Efficiency (VME):
VIS / merge risk tier. VIS divided by merge risk tier. Higher means more security value per unit of risk. - MR matching verophi correlates CVEs to MRs that already exist. No phantom recommendations.
- Output:
--format json. Human-readable by default. JSON for pipelines.
The gap between Trivy and Renovate
Trivy and Renovate solve different problems. Neither connects them.
Trivy finds CVEs, but doesn't tell you which open Renovate update fixes them.
Renovate creates updates, but doesn't tell you which ones are security-relevant.
Your team doesn't know which updates to merge first.
Three steps. No server required.
Drop it into CI, or run it locally against any SBOM file.
Scan
Generate a CycloneDX SBOM with Trivy or any compatible scanner.
trivy fs --format cyclonedx --output sbom.json .Analyze
verophi reads the SBOM, queries open Renovate updates, and matches CVEs to fixes.
verophi analyze --sbom sbom.json \ --gitlab-token $TOKEN \ --gitlab-project 12345Merge
Merge the top-ranked updates. Higher ranks fix more CVEs at lower risk.
↓ ranked by security impact
Local-first. No backend. No data leaves your CI.
verophi is a CLI you run yourself. It does not phone home.
A CLI you run yourself. No telemetry, no signup, no platform.
Open source
Apache 2.0. Audit the code yourself. No proprietary modules, no telemetry.
Runs locally
Single binary. No server, no account, no signup. Works offline once your SBOM is on disk.
API-only
Reads your SBOM file and queries GitLab/GitHub API. Nothing else.
Not a scanner. Not a platform. Just a CLI that helps you decide what to merge.