Sonatype helps enterprises identify and remediate vulnerabilities in open source library dependencies and release more secure code. Today, they announced a free tool called DepShield that offers a basic level of protection for GitHub developers.
The product is actually two parts. For starters, Sonatype has a database of open source dependency vulnerabilities called OSS Index. The company gathers this information from a variety of public sources, says Sonatype CEO Wayne Jackson. While it isn’t as highly curated as the company’s commercial offerings, it does offer a layer of protection that most individual developers or small shops wouldn’t normally have access to.
After a developer installs DepShield, it checks a code commit in GitHub against the known vulnerabilities in the OSS Index with recommendations on how to proceed. The company’s commercial offerings includes a policy engine to automate remediation. The free version simply lets developers know if there are issues, and they can go back and fix them if need be.
“What DepShield and OSS Index are doing is allowing the developers at the front lines to be able to see what’s happening inside their applications and fix the vulnerabilities directly,” Jackson said.
As for the differences between the commercial and free products, Jackson say it’s a matter of scale. “The way you manage a single application or handful of applications as a developer is different than how you might approach it if you’re a CISO or a governance organization for thousands of applications,” he explained. The latter requires a higher level of automation than the former because of the sheer number of applications involved.
DepShield offers the 28 million developers using GitHub access to a baseline level of protection by identifying a set of known vulnerabilities in their applications before they make them public. Jackson says that GitHub’s role is evolving. Today, it’s not only a tool for committing your code, it’s also become a place to do issue tracking and code reviews, and he believes that as such, a product like DepShield is a natural fit.
DepShield is available starting today in the Security section of the GitHub Marketplace and developers can download and install it for free.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Sonatype, which is based in Maryland, launched in 2008 and has raised almost $75 million, according to data on Crunchbase. Its most recent funding round was in 2016 for $30 million. Microsoft acquired GitHub in June for $7.5 billion.
