Most of the software your team ships isn't actually written by your team. It's pulled in from public packages, base images, and build tools you trust by default — and any one of them can quietly carry an attacker into your environment.
We help you see what's coming in with the code. We check the third-party pieces your build depends on, the container images you ship, the credentials that might be sitting in places they shouldn't — and we surface only the ones that could realistically hurt you, not the noise.
Just your domain and your work email. We'll handle the rest.
What it does
npm, PyPI, Maven, Cargo, Go modules, Composer, Hex, NuGet. We don't just enumerate vulnerable transitive dependencies — we validate which ones are actually reachable from your application's code paths, the way Vulnerability Validation handles scanner output. The noise stops at the dependency tree.
Base-image provenance. Layer-by-layer composition. Embedded secrets and tokens. We scan every image you ship and every base image you depend on, surface the unverified layers, and validate the exploitability of each finding against the running container's reachable surface.
Did your team install requestss when they meant requests? Did your private internal package collide with a public namespace registration? We surface typosquats and namespace-confusion risks across every package ecosystem your build touches.
The runner image, the action versions, the secret-scope policies, the deploy keys. Every CI/CD step is a privileged execution context, and modern supply-chain breaches happen here. We validate that your pipeline's privileged surfaces aren't reachable from a malicious dependency or PR.
Are the artifacts that flow into your build actually signed by the publishers you expect? Are the signatures verified at install time? Sigstore (cosign, Rekor, Fulcio) and SLSA-level verification are first-class citizens of the audit — we surface the gaps where signature verification is missing or skipped.
Hardcoded credentials in repos, leaked tokens in container images, secrets in CI logs, and tokens that survived a force-push but live forever in Git history. The Proof Capsule for a leaked credential includes the exact location, the exposure window, and the rotation guidance.
What you get
Find. Prove. Fix. Verify. — applied to supply chain
Dependencies, container images, CI/CD runners, build secrets. The full supply chain mapped as a graph.
Reachability analysis from your application's entry points down to the vulnerable dependency. Capsule replays the path.
Pin the vulnerable transitive. Replace the typosquatted import. Sign the artifact with cosign. Rotate the leaked token.
Next CI run, the same audit re-runs and confirms the dependency is gone, the signature is valid, the secret is rotated.
Where it fits in CTEM
Supply chain is the surface most-recently added to scope by mature security programs — and the one most often missed by traditional vulnerability management. CTEM's Scoping stage is where you decide what's in; Discovery is where you map what's actually there. The validation hand-off ties supply-chain findings into the same Proof Capsule format as everything else, so triage doesn't fragment.
Start where it costs you nothing
Drop your domain. We'll quietly look at your external footprint and send a short, plain-language report — with at least one real finding your team can verify themselves. No sales pressure. No surprise calls.
Just your domain and your work email. We'll handle the rest.
CELVEX Group