Skip to main content


What is LunaTrace

LunaTrace is an Open Source supply chain security and auditing tool. At its heart is a web console the tracks your projects and their dependencies, looking for vulnerabilities and other issues. This console is provided as a SAAS (available here and currently for free) or you can deploy it and manage it yourself.

How to use it

LunaTrace connects to GitHub repositories. It automatically scans PRs as well as the main branch.

It's free to get started with by adding our GitHub App to your GitHub repository (takes 1-2 minutes).

If you'd like to host it yourself, or just peek under the hood, you can view the Source Code on GitHub.

What languages are supported

Many languages are supported, however the most advanced features only support JavaScript at the moment.

Enhanced dependency tree information, false positive elimination, and static analysis are currently JavaScript-only in our analysis engine. You will see this when enhanced analysis is enabled:

enhanced analysis enabled

For other languages, LunaTrace is still able to list vulnerabilities at a level comparable to other vulnerability scanners.

What it outputs

LunaTrace shows detected vulnerabilities in your project's dependencies in a clean, fast interface. It automatically dismisses all the vulnerabilities that it can, based on situational information and our powerful analysis engine. You will see when a vulnerability is only in your dev dependencies, why the vulnerable package was included in the dependency tree, steps to patch, and other information you need to make a quick decision about the vulnerability.

a sample vuln

Vulnerable packages are shown with enhanced information about the dependency tree when available.

tree data display

LunaTrace also let's you know if a vulnerable package can be trivially updated to a non-vulnerable version.


It can also produce official reports like SBOMs which may be required by enterprise customers or government regulators. If using the GitHub integration, it can automatically comment detected issues directly on your Pull Requests.

How to add it to your workflow

By installing the GitHub application your projects can automatically be scanned during pull requests and during commits to the main branch. LunaTrace can comment directly on pull requests if any issues are found. The web app will walk you through this process. It takes about a minute to get up and running. Don't hesitate to give it a try.


Lunatrace is built on an open source foundation, and we are rapidly adding features to make LunaTrace a complete supply chain control center. Features such as:

  • Much better false-positive elimination / quieter reports. Read our blog post about this.
  • Enhanced support for more languages. Python is probably the next language we will build tree-analysis for.
  • VEX in addition to SBOM support
  • License Checking
  • Live Instance Tracking

are right around the corner.