Pipeline Analysis
From PR Open to Security Verdict in Seconds
Patchlynx runs as a native CI/CD check. Every pull request triggers the full reachability pipeline: lockfile diff extraction, full dependency tree construction, inter-procedural call graph tracing, CVE intersection. Average time to verdict: 8.4 seconds.
See the Quickstart
Pipeline Architecture
7 stages. Every PR. Automatic.
What Patchlynx Reads
What goes in, how it's processed, what comes out
Lockfiles We Parse
- package-lock.json (npm)
- yarn.lock (Yarn v1/v2)
- pnpm-lock.yaml (pnpm)
- Pipfile.lock (Python)
- requirements.txt (pip)
- go.sum (Go modules)
- Cargo.lock (Rust)
- pom.xml / build.gradle (Java)
What We Trace
- Function calls across modules
- Import/require resolution
- Re-exports and proxy patterns
- Dynamic import (best-effort)
- Callback and event patterns
- Entry points you configure
- Production code paths only
What We Report
- Severity + CVSS score
- Reachability verdict
- Full call chain evidence
- Patch version suggestion
- Auto-dismissal reasoning
- Fix PR auto-creation (Pro)
Language Support
Language support — generally available and on roadmap
JavaScript / TypeScript
Generally available
Python
Generally available
Go
Generally available
Rust
Generally available
Java
Generally available
Ruby
On roadmap
C#
On roadmap
Ready to see your actual reachable CVE count?
Connect your first repo in under 5 minutes. Free plan, no credit card required.
Read the Quickstart