Compare · software trust evidence
Dependency scanner vs OpenSoyce: the finding vs the decision around it
A dependency scanner tells you a package has a known vulnerability. OpenSoyce records what your team decided about that finding, so the call survives the next scan instead of disappearing into a thread.
| Dependency scanner | OpenSoyce | |
|---|---|---|
| What it produces | A fresh list of findings each run | A durable, signed evidence record |
| The human decision | Outside its scope; not captured | Recorded with owner, reason, and expiry |
| Re-run vs durable record | Re-flags the same finding every run | The decision persists; finding stays visible |
| Buyer can independently check | Internal output, not a portable artifact | Buyer checks the signature on the packet |
| Scope | The vulnerability in the dependency tree | The evidence plus the decision around it |
What dependency scanners do well
A dependency scanner is genuinely good at one thing: walking your dependency tree on every run and re-flagging each known vulnerability against the current advisory feed. It stays current as new CVEs land, catches regressions when a downgrade reintroduces a flaw, and gives engineers a fast, repeatable read of where the exposure is. That repeated re-check is exactly what you want from the detection layer.
Where the scope stops
The scope ends at the finding. A scanner re-flags the same vulnerability every run because it only sees the vulnerability, never the human call you made about it, so an accepted risk looks identical to an ignored one. It produces a fresh output rather than a durable record, and it does not carry who reviewed a finding, why they accepted it, or when that acceptance expires.
What opensoyce adds
OpenSoyce sits on top of the scan, not in place of it. It observes the same dependency, CI, and package evidence and binds each item to its source, then records the human risk decision next to the finding: an owner, a business justification, and a mandatory expiry, with the original finding still visible the whole time. It assembles that into a signed evidence packet and a buyer-readable dossier, and surfaces contradictions between sources as review signals rather than burying them. The signature attests integrity and origin so a buyer can independently check the record, and the same evidence flows out through a JSON export and signed webhook events.
When to use which
Use both. Keep the dependency scanner as your detection layer; it re-checks the tree on every run and tells you what is exposed. Reach for OpenSoyce when someone asks who looked at a finding, why it was accepted, and whether that still holds, because OpenSoyce records that decision into a signed packet a buyer can read and check.
The boundary
OpenSoyce preserves and explains the evidence and the decision around it; it does not certify, verify, or approve anything, and a recorded acceptance does not resolve or remove the finding. A signature proves integrity and origin, not that a finding is safe, and your buyer's policy decides trust.