DEPTEX: Organization-First, Open Source Dependency Risk Monitoring
For enterprises managing OSS dependencies, Deptex reduces alert fatigue by providing context-aware risk assessment instead of treating all vulnerabilities as equal.
Deptex addresses alert fatigue in OSS dependency risk monitoring by introducing Execution Path Dominance (EPD), which fuses CPG slicing with LLM verification to calculate a vulnerability's true operational blast radius, and a programmable governance engine for context-aware risk management.
Open-source software (OSS) dependencies introduce systemic risks that are difficult to manage at scale. Existing Software Composition Analysis (SCA) and reachability tools generate severe alert fatigue by treating risk as an intrinsic component property, ignoring semantic context and forcing enterprises into rigid compliance frameworks. We present Deptex, an organization-first, graph-based platform treating supply chain risk as emergent. Deptex introduces Execution Path Dominance (EPD), fusing Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to calculate a vulnerability's true operational blast radius. To handle bespoke compliance, Deptex abstracts governance into a programmable ``As Code'' engine, enabling security teams to natively enforce dynamic pull request policies, custom asset tiers, and external API integrations. By shifting from reactive scanning to context-aware governance, Deptex enables proactive, efficient, and aligned supply chain risk management.