Introduction
What is LunaTrace
LunaTrace is an Open Source supply chain security and auditing tool. At its heart is a web console the tracks your projects and their dependencies, looking for vulnerabilities and other issues. This console is provided as a SAAS (available here and currently for free) or you can deploy it and manage it yourself.
How to use it
LunaTrace connects to GitHub repositories. It automatically scans PRs as well as the main branch.
It's free to get started with by adding our GitHub App to your GitHub repository (takes 1-2 minutes).
If you'd like to host it yourself, or just peek under the hood, you can view the Source Code on GitHub.
What languages are supported
Many languages are supported, however the most advanced features only support JavaScript at the moment.
Enhanced dependency tree information, false positive elimination, and static analysis are currently JavaScript-only in our analysis engine. You will see this when enhanced analysis is enabled:
For other languages, LunaTrace is still able to list vulnerabilities at a level comparable to other vulnerability scanners.
What it outputs
LunaTrace shows detected vulnerabilities in your
project's dependencies in a clean, fast interface.
It automatically dismisses all the
vulnerabilities that it can, based on situational information and our powerful analysis engine.
You will see when a vulnerability is only in your dev
dependencies, why the vulnerable package was included
in the dependency tree,
steps to patch, and other
information you need to make a quick decision about the vulnerability.
Vulnerable packages are shown with enhanced information about the dependency tree when available.
LunaTrace also let's you know if a vulnerable package can be trivially updated to a non-vulnerable version.
It can also produce official reports like SBOMs which may be required by enterprise customers or government regulators. If using the GitHub integration, it can automatically comment detected issues directly on your Pull Requests.
How to add it to your workflow
By installing the GitHub application your projects can automatically be scanned during pull requests and during commits to the main branch. LunaTrace can comment directly on pull requests if any issues are found. The web app will walk you through this process. It takes about a minute to get up and running. Don't hesitate to give it a try.
Roadmap
Lunatrace is built on an open source foundation, and we are rapidly adding features to make LunaTrace a complete supply chain control center. Features such as:
- Much better false-positive elimination / quieter reports. Read our blog post about this.
- Enhanced support for more languages. Python is probably the next language we will build tree-analysis for.
- VEX in addition to SBOM support
- License Checking
- Live Instance Tracking
are right around the corner.