Frequently Asked Questions (FAQ)

Browse our FAQ section for detailed answers to common questions about using Debricked.

Is Debricked’s service on prem or SaaS?

Currently we are only offering a SaaS solution.

What type of scanning does Debricked do?

At Debricked, we use manifest-based scanning, which effectively identifies security issues and supports a wide range of file formats. Binary scanning is sometimes touted as better because it provides fewer false positives, but it can miss security flaws, supply chain attacks, and licensing problems. Binary scanning does not include test and build dependencies, which can still pose a risk, unlike manifest-based scanning.

Manifest-based scanning identifies components in your dependency files, while binary scanning fingerprints and scans binary files. Binary scanning can be useful when there is no source code or package managers for installing dependencies, but it does not include development and test dependencies, which can pose a significant risk. Manifest-based scanning is more precise in identifying vulnerabilities and compliance issues and is better suited for the developer workflow. For vendor code and C++/C scanning, Debricked can scan an SBOM if the vendor provides one.

Ultimately, the choice between manifest and binary scanning comes down to your workflow and goals. At Debricked, we prioritize automation and tools that help developers identify and fix problems quickly and accurately, which is why we focus on manifest scanning.

How accurate is the service in finding a vulnerability?

Our service will detect any open source vulnerability in your repository, that has been published by (not limited to): NVD Database, NPM, C# Announcement, FriendsOfPHP’s security advisories, Go Vulnerability Database, PyPA Python Advisory Database, GitHub Issues, GitHub Security Advisory, mailing lists and more. Those sources are updated every 15 minutes to ensure that as many vulnerabilities are found as possible.

Debricked has found a wrong dependency. What should I do?

If you believe Debricked has found a wrong dependency and you'd like to change the match, it is possible to manage and override your dependency matches using our CLI.

What is meant by “increased computation” for Enterprise customers?

For our Enterprise customers, we increase the amount of available workers to allow for scanning more files in parallel, which can greatly increase scan speed.

To what extent can Root Fixes break the code?

In short, to no more extend than manually updating dependencies. There's always a risk of breaking changes when updating dependencies. It's hard to say how big the risk is, since that is individual per update. The risk is not inherently larger with root fixes than indirect fixes, though what we can guarantee is that we won't break the dependency tree (by introducing a dependency version that is not compatible with upstream dependencies).

How long do I need to wait to request a second password reset?

You need to wait one hour to request a second reset password.

Is there a way to restrict what repositories certain users can see?

Yes, this can be done with the use of Role Based Access Control, our Enterprise feature which allows you to grant and enforce access to functionalities and integrated repositories by assigning pre-defined roles to users.

Is it possible to extract a pie chart or other visualization of the identified licenses and dependencies?

You can do a license export, which contains both licenses & dependencies. This output is delivered in an excel format, from where you can create the pie chart. Alternatively, our API can help you solve this.

What do we classify as a “scan”?

We do a scan every time a developer commits code, regardless of the size.

Does Debricked run on PC or does it upload to your servers?

There are a few different ways you can run our service: one way is to upload your dependency files manually, but typically you would run it in your test pipelines, for example via integration with Github, Gitlab etc.

How do you distinguish between frequent and sporadic contributors?

We look at averages and prune the commiters monthly. We realize that most businesses have some amount of "non-developer" commiters. This could be bots, students joining for just a short period of time, etc. Because of this we talk to our customers about what the actual amount of contributing developers is and enter that into the contract.

What practices does Debricked take to prevent and detect vulnerabilities?

To prevent and detect vulnerabilities Debricked:

  • use our own service to find known vulnerabilities in our dependencies

  • conduct third-party penetration tests

  • continuously run our own penetration tests internally

  • have a vulnerability disclosure program that allows bug bounty hunters to report security issues to us. For interesting findings we provide monetary rewards.

Where is Debricked’s data stored?

Customer data is stored by using GCP as service provider in the Netherlands.

Where is Debricked’s office located?

Our headquarters is located at: Minc, Anckargripsgatan 3, Malmö, Skåne 211 19, Sweden.

Last updated