Introducing Dependency Radar

Supply chain security is a messy but dire topic right now, as even security companies seem to be getting breached every week. AI is creating cybersecurity threats that are moving faster than ever.

I found myself wondering what insights Scarf’s data — billions of OSS downloads every day — might offer to make a meaningful contribution to supply chain security efforts. A brief exploration showed the direction to be promising and worth serious investigation within the Scarf community.

Most large enterprises are still downloading known-vulnerable OSS packages. I don’t just mean brand-new issues like the recent Axios vulnerability. There were millions of downloads of old Log4Shell-impacted versions of Log4j in the last month, even though that vulnerability was patched years ago.

To be clear, a download does not necessarily mean a vulnerable package is running in production. But it does mean vulnerable versions are still moving through enterprise environments: developer laptops, CI systems, build pipelines, internal tools, and legacy systems.

This may not be surprising when you consider a few factors:

1. Most supply chain security tools focus on scanning static code, SBOMs, or restricting access. Those are important, but they do not necessarily monitor real-time behavior. They might catch what you’re about to deploy or merge, but they won’t always catch what one of your engineers, build systems, or AI agents might be downloading right now on their machine.
2. Legacy systems can be very hard to update.
3. AI is making the whole problem move faster. More code is being written, modified, and deployed automatically, and the time between vulnerability discovery and attempted exploitation is getting shorter.

Introducing: Dependency Radar

To help companies stay ahead, we’re launching a new API-based feed in Scarf called Dependency Radar.

Think of it as a single firehose of every OSS download Scarf sees from your company, across the billions of downloads we track daily.

Monitor what your team is downloading, feed it to your AI agents or ours, and get real-time insights about live risks in your supply chain.

Static scanning only tells you part of the story. Dependency Radar helps show what your organization is actually downloading.

How much does Dependency Radar cost?

Dependency Radar is available to everyone, including users on the free tier.

Each API call to Dependency Radar consumes 1 Run. See https://www.scarf.sh/pricing for more information on Run credits.

Each API call can return up to 1,000 raw download events at a time.

Do I have access to download data for my entire company? Who gets access to this?

Access is restricted to verified organizations.

You’ll need:

• A verified company email address that matches the domain of the events you are trying to query.
• Your Scarf organization must also have a billing email address tied to the same domain.

Example: If your organization has an @example.com billing email, your account must have a verified @example.com email address to access this API.

Your Dependency Radar feed will include download events that Scarf maps to your company domain.

How do I get started?

The best way is to ask your Scarf AI Agent in Slack, or ask your LLM using our AI skill:

https://github.com/scarf-sh/scarf-skill

Dependency Radar is also accessible directly through Scarf’s public API.

What’s next

We want to get this feed out to enterprise security teams as quickly as possible.

We’re looking for feedback on what they find, how they use it, and what they want to see next.

If you work on software supply chain security and want real-time visibility into what your organization is actually downloading from open source, we’d love for you to try Dependency Radar.