SCA With Call Graph Evidence, Not Just Advisory Matching
Advisory-only SCA tools match your lockfile against the NVD and surface every CVE. Patchlynx does that and then runs a call graph trace: it follows the execution path from your entry points into your dependencies to determine whether the vulnerable function is actually reachable. Most aren't. You should only see the ones that are.
From lockfile diff to reachability verdict
Three stages executed on every PR. Total time: 8–30 seconds depending on codebase size and number of changed packages.
- Parse source files to abstract syntax tree
- Resolve import / require / export statements
- Build inter-module dependency map
- Identify function signatures and call sites
- Track barrel re-exports and proxy patterns
- Start traversal from configured entry points
- Follow all call sites recursively (inter-procedural)
- Resolve static dynamic imports (string literal specifiers)
- Cross package boundaries into node_modules / vendor
- Mark dead code paths as non-reachable candidates
- Map CVE IDs to affected function names via NVD + OSV.dev
- Query: does affected function appear in call graph?
- REACHABLE: surface finding with full call chain
- NOT REACHABLE: auto-dismiss with evidence summary
- Suggest minimum patch version that resolves the CVE
Patchlynx vs. Advisory-Only SCA Tools
| Capability | Patchlynx | Advisory-Only SCA |
|---|---|---|
| Reachability analysis | Full call graph tracing | Not available |
| False positive rate | ~22% of advisories surface | 100% of advisories surface |
| PR-level gates | Native PR checks | Typically repo-level only |
| Fix suggestion context | Call chain + patch version | Package version only |
| Developer workflow | Inline PR comments, no dashboard switch | Separate dashboard required |
| Analysis speed | 8–30 seconds per PR | Minutes to hours (batch scans) |
What's under the hood
Multi-Language Call Graph Analysis
JavaScript/TypeScript, Python, Go, Rust, and Java. Each language has purpose-built static analysis that understands the module system (CommonJS, ESM, Python import, Go modules, Cargo, Maven/Gradle) and call convention — not a generic adapter layer.
Lockfile Diff Analysis
Only scans packages that changed in the PR. Full repo scans available on-demand but PR gates use diff-based analysis for sub-10-second turnaround.
Ignore Policies (Team)
Define team-level ignore policies for specific CVEs or package patterns with justification tracking. Audit-log every override decision.
Reachable Attack Surface Trends
Track your reachable CVE count over time across repositories. See which teams are actually reducing their exploitable attack surface — not just patching packages to clear compliance dashboards.
Auto-Dismiss Logic
Not-reachable verdicts are stored and auto-dismissed on future scans of the same package version. No repeated analysis of the same non-issue.
CLI + API
Run reachability analysis locally before pushing. Integrate with custom tooling via REST API. Full CI/CD automation without a dashboard dependency.
We analyze security. We don't store your code.
Patchlynx is a security tool that handles your codebase. We're not exempt from the scrutiny we ask you to apply to your own dependencies. Our architecture is documented in full on the security page.
Ephemeral Analysis
Analysis runs in isolated, ephemeral containers. Source code is deleted within 60 seconds of scan completion. We never retain your source code.
Metadata Only
Patchlynx stores only metadata: package names, versions, CVE IDs, and reachability verdicts. Your source code never persists in our systems.
Encrypted in Transit
All communication between your CI/CD environment and Patchlynx uses TLS 1.3. Webhook payloads are verified with HMAC-SHA256 signatures.
Built With SOC 2 Controls in Mind
Patchlynx is designed with SOC 2 Type II controls in mind from the start. Access controls, audit logging, and incident response processes are in place. We have not yet completed a formal audit — we will publish the report when complete.
See it on your actual codebase
5-minute setup. Connect a real repo and get your first reachability verdict on your next PR — not a synthetic demo.