SiliconAngle reports that Google has introduced the new deps.dev API that enables the scanning of vulnerabilities and other issues in open-source code.
Such an API would enable developers to more easily use the deps.dev dataset and more conveniently develop a plugin integrating deps.dev, according to Google. Security teams could integrate the deps.dev API in continuous integration and continuous delivery tools to facilitate cybersecurity task automation, while the API's real dependency graph feature allows package code scanning that more accurately details its components.
Google also noted that hash query support has been added to the API, allowing improved supply chain attack detection.
"This gives a real set of dependencies similar to what you would get by actually installing the package, which is useful when a package changes but the developer doesn't update the lock file. With the deps.dev API, tools can assess, monitor, or visualize expected (or unexpected!) dependencies," said Google Senior Software Engineer Jesper Sarnesjo and Product Manager Nicky Ringland.
