Find abandoned dependencies before they become vulnerabilities. Then remove them — in the right order.
uzomuzo does two things SCA tools can't:
uzomuzo scan— Detects unmaintained packages that SCA tools miss (no CVE, but no one is watching either)uzomuzo diet— Ranks every dependency by removability: graph impact, source coupling, and health risk — so you know which to cut first
./uzomuzo scan pkg:npm/inflight@1.0.6— inflight has 556K dependents, yet its repository is archived and npm has deprecated it. uzomuzo detects this as EOL-Confirmed in seconds.
Standard SCA tools (Trivy, Syft, Snyk) excel at flagging known CVEs. But they cannot answer: is this package still maintained?
A package with zero CVEs today may have been abandoned for years — no one is watching for new vulnerabilities, no one will patch them, and no one will respond to security reports. These are precisely the targets of supply chain attacks (xz-utils 2024, event-stream 2018).
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
🔴 replace pkg:npm/dicer@0.3.1 EOL-Effective —
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 0 ok | ⚠️ 0 caution | 🔴 1 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:npm/dicer@0.3.1 ─────────────────────────────────────
│ A very fast streaming multipart parser for node.js
│ 🔴 EOL-Effective: Unmaintained, unpatched vulnerabilities
├─ Signals ─────────────────────────────────────────────────
│ Last Human Commit: 2023-07-15
│ Maintained Score: 0/10
│ Advisories: 1
│ Max Advisory Severity: HIGH 7.5
├─ Health ──────────────────────────────────────────────────
│ 188 stars
│ Used by: 1271 packages
│ Depends on: 1 direct, 0 transitive
│ Scorecard Overall: 2.8/10 Maintained: 0.0/10
│ Last Commit: 2023-07-15
├─ Releases ────────────────────────────────────────────────
│ Stable: 0.3.1 (2021-12-19) ⚠️ 1 advisory
│ HIGH (7.5) GHSA-wm7h-9275-46v2
│ → https://deps.dev/npm/dicer/0.3.1
├─ Links ───────────────────────────────────────────────────
│ Repository: https://github.com/mscdex/dicer
│ Registry: https://www.npmjs.com/package/dicer
│ deps.dev: https://deps.dev/npm/dicer
└───────────────────────────────────────────────────────────
No official deprecation, no archived repository — yet dicer has an unpatched ReDoS vulnerability (CVSS 7.5 — HIGH severity) with zero human commits in over two years. SCA tools report "1 CVE" and move on. uzomuzo recognizes the combination of HIGH/CRITICAL unpatched advisory + maintenance absence as effectively end-of-life. This package sits in the Express dependency chain (via busboy → multer), meaning millions of applications silently depend on abandoned code.
trivy image --format cyclonedx bkimminich/juice-shop:v14.5.1 \
| ./uzomuzo scan --sbom - --fail-on eol-confirmed,eol-effective🏷️ LABEL SUMMARY (1,540 evaluated packages):
🟢 Active: 630 (40.9%)
🔵 Legacy-Safe: 556 (36.1%)
⚪ Stalled: 263 (17.1%)
🔴 EOL-Confirmed: 88 (5.7%)
🛑 EOL-Effective: 3 (0.2%)
59% of dependencies have lifecycle concerns invisible to SCA tools. See the full scan result (EOL-Confirmed and EOL-Effective packages only; filtered with --show-only replace).
Download the latest release from GitHub Releases.
go install github.com/future-architect/uzomuzo-oss/cmd/uzomuzo@latest
# Optional: install diet command for dependency removability analysis
go install github.com/future-architect/uzomuzo-oss/cmd/uzomuzo-diet@latestgit clone https://github.com/future-architect/uzomuzo-oss.git
cd uzomuzo-oss
go build -o uzomuzo ./cmd/uzomuzo
CGO_ENABLED=1 go build -o uzomuzo-diet ./cmd/uzomuzo-diet # requires C compilerexport GITHUB_TOKEN=ghp_... # optional; enables commit history and Scorecard# Single package
uzomuzo scan pkg:npm/express@4.18.2
# GitHub repository
uzomuzo scan https://github.com/expressjs/express
# Scan project dependencies via SBOM (direct deps only — transitive issues
# are resolved by updating the direct dep that pulls them in)
trivy fs . --format cyclonedx | uzomuzo scan --sbom -
trivy fs . --format cyclonedx | uzomuzo scan --sbom - --show-transitive # include transitive
uzomuzo scan # auto-detect go.mod in cwd
uzomuzo scan --format json # JSON output for CI integration
# CI gate: exit 1 if any EOL dependency found
uzomuzo scan --sbom bom.json --fail-on eol-confirmed
# Batch from Trivy SBOM (show only packages that need replacement)
trivy image --format cyclonedx bkimminich/juice-shop:v14.5.1 \
| uzomuzo scan --sbom - --fail-on eol-confirmed,eol-effective --show-only replace
# Scan a repo's GitHub Actions dependencies
uzomuzo scan https://github.com/owner/repo --include-actions
# Scan a workflow YAML directly
uzomuzo scan --file .github/workflows/ci.yml
# File input (one PURL per line)
uzomuzo scan --file input_purls.txt --sample 500Most projects have dependencies they don't really need, but knowing which ones to remove and how hard it will be is the real problem. uzomuzo diet answers both:
# Pipe from trivy (no intermediate file)
trivy fs . --format cyclonedx | uzomuzo diet --sbom - --source .
# Or two-step with a file
syft . --source-name myproject -o cyclonedx-json > bom.json
uzomuzo diet --sbom bom.json --source .Real output — fastapi/fastapi (18 direct deps, 35 transitive, Trivy SBOM):
── Diet Plan (18 direct dependencies) ─────────────────────────
Unused (0 imports): 4
Quick wins: 3 (trivial/easy + high impact)
RANK SCORE EFFORT PURL REMOVES REMAINS IMPORTS CALLS STATUS
──── ───── ────── ──── ─────── ─────── ─────── ───── ──────
1 0.42 trivial pkg:pypi/itsdangerous@2.2.0 0 - 0 0 Stalled
2 0.31 trivial pkg:pypi/pyyaml@6.0.3 0 yes 0 0 Active
3 0.30 trivial pkg:pypi/click@8.2.1 0 yes 0 0 Active
4 0.29 trivial pkg:pypi/pydantic-extra-types@2.11.0 0 - 0 0 Active
5 0.19 easy pkg:pypi/fastapi-cli@0.0.20 7 - 1 1 Active
6 0.14 easy pkg:pypi/jinja2@3.1.6 1 - 1 1 Stalled
...
17 0.00 hard pkg:pypi/pydantic@2.12.5 0 yes 233 162 Active
18 0.00 hard pkg:pypi/starlette@0.52.1 0 - 41 49 Active
── Dependency Tree ─────────────────────────────────────────────
Direct deps: 18
Transitive deps: 35
└ removes-with-dep: 8 (removable if that direct dep is removed)
⚠ remains-indirect: 11 (remain in tree via another direct dep)
The ranking surfaces actionable insights: fastapi-cli (rank 5) removes 7 transitive deps with only 1 import — a high-impact, low-effort win. Bottom-ranked pydantic (233 files, 162 calls) is deeply embedded — the tool tells you not to start there.
| Column | Meaning |
|---|---|
| SCORE | Overall removal priority (higher = remove first) |
| EFFORT | trivial (0 imports) / easy / moderate / hard |
| REMOVES | Transitive deps that disappear when this dep is removed |
| REMAINS | yes = stays in tree as indirect dep of another package |
| IMPORTS / CALLS | Source files and call sites — measures how hard to untangle |
Supports Go, Python, JavaScript/TypeScript, Java. Uses tree-sitter for multi-language source analysis.
# Java (Maven) — requires CycloneDX Maven Plugin for dependency resolution
mvn org.cyclonedx:cyclonedx-maven-plugin:2.9.1:makeBom \
-DoutputFormat=json -DoutputName=bom -Dcyclonedx.skipNotDeployed=false
uzomuzo diet --sbom target/bom.json --source .Diet doesn't just rank — it feeds into Claude Code skills that use an LLM to analyze, plan, and execute the removal:
uzomuzo diet Rank all deps by removability (automated)
↓
/diet-assess-risk Trace data flows, build attack (LLM-powered)
/diet-evaluate-removal scenarios, evaluate cost-benefit
↓
/diet-remove Safe removal: analysis → replace (LLM-powered)
→ verify → commit/issue
The key insight: detection is a tool's job, but deciding how to remove is an LLM's job. Diet provides the structured data (graph impact, coupling metrics, health signals), and the LLM skills read the actual source code to plan the migration. See Diet Workflow for the full pipeline.
See Diet Command for scoring algorithm and SBOM tool comparison, and Claude Code Skills for the LLM-powered removal workflow.
See Usage for full CLI reference and Integration Examples for Trivy, Syft, and Go module workflows.
uzomuzo classifies each package into one of seven lifecycle states using a multi-signal decision tree (OpenSSF Scorecard, human commit recency, release activity, registry EOL flags, advisory severity, and unpatched advisory counts):
| Label | Meaning | Action |
|---|---|---|
| Active | Recent human commits + releases + healthy maintenance score | No action needed |
| Legacy-Safe | No recent activity, but zero vulnerabilities — frozen and stable | Accept risk or pin version |
| Stalled | Maintenance declining: low score or commits stopped | Monitor; plan migration |
| EOL-Confirmed | Repository archived/disabled, or registry explicitly marks EOL | Migrate immediately |
| EOL-Effective | No official EOL, but 2+ yrs without human commits AND HIGH/CRITICAL unpatched vulns | Migrate; treat as EOL |
| EOL-Scheduled | Future EOL date announced (not yet reached) | Plan migration before EOL date |
| Review Needed | Insufficient data for automated classification | Manual investigation required |
| Capability | Trivy / Syft | OpenSSF Scorecard | endoflife.date | uzomuzo |
|---|---|---|---|---|
| Known vulnerability scanning | Yes | Partial | No | Partial (via deps.dev) |
| Single-repo health scoring | No | Yes (17 checks) | No | Yes (via Scorecard) |
| Dependency tree lifecycle assessment | No | No | No | Yes |
| Long Tail EOL detection | No | No | ~400 projects | Multi-signal heuristic |
| Bot vs. human commit filtering | No | No | N/A | Yes |
| GitHub Actions health scanning | No | No | No | Yes |
| Lifecycle classification granularity | N/A | N/A | Binary (EOL/not) | 7 actionable states |
| Batch processing scale | N/A | 1 repo/run | N/A | 5,000+ PURLs/run |
| Innovation | Why it matters |
|---|---|
| Human vs. bot commit separation | Repositories with only Dependabot/Renovate commits masquerade as maintained. uzomuzo filters automated commits to reveal true human activity. |
| 7-state lifecycle model | Binary "EOL or not" is insufficient. Each state maps to a concrete remediation action. |
| Ecosystem-aware delivery model | Go modules deliver via VCS-direct; npm via registry publish. The same "commits without publish" signal means different things per ecosystem. |
| Evidence trails | Every label includes a reason string and decision trace, so security teams can audit why a package was flagged. |
| Graduated precision | Works without GitHub token (deps.dev only); adding a token unlocks commit history and Scorecard for high-precision assessment. |
| GitHub Actions supply chain scanning | CI/CD workflows depend on third-party Actions that are themselves OSS. uzomuzo extracts uses: directives, recursively resolves composite actions (including local ./ references), and evaluates each Action's lifecycle. |
Sample Output — All lifecycle states (detailed format)
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
✅ ok pkg:npm/express@4.18.2 Active Hardened 9.3
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 1 ok | ⚠️ 0 caution | 🔴 0 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:npm/express@4.18.2 ──────────────────────────────────
│ Fast, unopinionated, minimalist web framework for node.
│ ✅ Active: Actively maintained with recent releases
├─ Signals ─────────────────────────────────────────────────
│ Recent Stable Release: true
│ Last Human Commit: 2026-03-31
│ Maintained Score: 10/10
├─ Health ──────────────────────────────────────────────────
│ 68888 stars
│ Used by: 2211 packages
│ Depends on: 31 direct, 39 transitive
│ Scorecard Overall: 8.4/10 Maintained: 10.0/10
│ Last Commit: 2026-03-31
├─ Releases ────────────────────────────────────────────────
│ Stable: 5.2.1 (2025-12-01)
│ Pre-release: 5.0.0-beta.3 (2024-03-25)
│ Requested: 4.18.2 (2022-10-08)
├─ Build Integrity ─────────────────────────────────────────
│ ✅ Hardened 9.3/10 (5/6)
│ Dangerous Workflow 10 Branch Protection —
│ Code Review 9 Token Permissions 10
│ Binary Artifacts 10 Pinned Deps 6
│ → https://scorecard.dev/viewer/?uri=github.com%2Fexpressjs%2Fexpress
├─ Links ───────────────────────────────────────────────────
│ Homepage: https://expressjs.com
│ Repository: https://github.com/expressjs/express
│ Registry: https://www.npmjs.com/package/express
│ deps.dev: https://deps.dev/npm/express
└───────────────────────────────────────────────────────────
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
✅ ok pkg:npm/moment@2.29.4 Legacy-Safe Moderate 4.7
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 1 ok | ⚠️ 0 caution | 🔴 0 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:npm/moment@2.29.4 ───────────────────────────────────
│ Parse, validate, manipulate, and display dates in
│ javascript.
│ ✅ Legacy-Safe: Dormant but no known vulnerabilities
├─ Signals ─────────────────────────────────────────────────
│ Last Human Commit: 2024-02-18
│ Advisories: 0
├─ Health ──────────────────────────────────────────────────
│ 48016 stars
│ Used by: 2452 packages
│ Scorecard Overall: 3.1/10 Maintained: 0.0/10
│ Last Commit: 2024-02-18
├─ Releases ────────────────────────────────────────────────
│ Stable: 2.30.1 (2023-12-27)
│ Requested: 2.29.4 (2022-07-06)
├─ Build Integrity ─────────────────────────────────────────
│ ⚠️ Moderate 4.7/10 (5/6)
│ Dangerous Workflow 10 Branch Protection —
│ Code Review 0 Token Permissions 0
│ Binary Artifacts 10 Pinned Deps 0
│ → https://scorecard.dev/viewer/?uri=github.com%2Fmoment%2Fmoment
├─ Links ───────────────────────────────────────────────────
│ Homepage: momentjs.com
│ Repository: https://github.com/moment/moment
│ Registry: https://www.npmjs.com/package/moment
│ deps.dev: https://deps.dev/npm/moment
└───────────────────────────────────────────────────────────
Scorecard says Maintained 0.0 — but zero advisories and does one thing perfectly. Watch for maintenance decline.
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
⚠️ caution pkg:golang/github.com/gorilla/mux@1.8.1 Stalled Moderate 6.5
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 0 ok | ⚠️ 1 caution | 🔴 0 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:golang/github.com/gorilla/mux@1.8.1 ─────────────────
│ Package gorilla/mux is a powerful HTTP router and URL
│ matcher for building Go web servers with 🦍
│ ⚠️ Stalled: Low maintenance
├─ Signals ─────────────────────────────────────────────────
│ Last Human Commit: 2024-06-19
│ Maintained Score: 0/10
├─ Health ──────────────────────────────────────────────────
│ 21814 stars
│ Scorecard Overall: 4.9/10 Maintained: 0.0/10
│ Last Commit: 2024-06-19
├─ Releases ────────────────────────────────────────────────
│ Stable: v1.8.1 (2023-10-18)
│ Highest (SemVer): v1.8.2-0.20240619235004-fe14465e5077 (2024-06-19)
├─ Build Integrity ─────────────────────────────────────────
│ ⚠️ Moderate 6.5/10 (5/6)
│ Dangerous Workflow 10 Branch Protection —
│ Code Review 9 Token Permissions 0
│ Binary Artifacts 10 Pinned Deps 0
│ → https://scorecard.dev/viewer/?uri=github.com%2Fgorilla%2Fmux
├─ Links ───────────────────────────────────────────────────
│ Homepage: https://gorilla.github.io
│ Repository: https://github.com/gorilla/mux
│ Registry: https://pkg.go.dev/github.com%2Fgorilla%2Fmux
│ deps.dev: https://deps.dev/go/github.com/gorilla/mux
└───────────────────────────────────────────────────────────
No release since 2023, Maintained 0.0. Not dead, not active — clearly declining.
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
🔴 replace pkg:npm/dicer@0.3.1 EOL-Effective —
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 0 ok | ⚠️ 0 caution | 🔴 1 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:npm/dicer@0.3.1 ─────────────────────────────────────
│ A very fast streaming multipart parser for node.js
│ 🔴 EOL-Effective: Unmaintained, unpatched vulnerabilities
├─ Signals ─────────────────────────────────────────────────
│ Last Human Commit: 2023-07-15
│ Maintained Score: 0/10
│ Advisories: 1
│ Max Advisory Severity: HIGH 7.5
├─ Health ──────────────────────────────────────────────────
│ 188 stars
│ Used by: 1271 packages
│ Depends on: 1 direct, 0 transitive
│ Scorecard Overall: 2.8/10 Maintained: 0.0/10
│ Last Commit: 2023-07-15
├─ Releases ────────────────────────────────────────────────
│ Stable: 0.3.1 (2021-12-19) ⚠️ 1 advisory
│ HIGH (7.5) GHSA-wm7h-9275-46v2
│ → https://deps.dev/npm/dicer/0.3.1
├─ Links ───────────────────────────────────────────────────
│ Repository: https://github.com/mscdex/dicer
│ Registry: https://www.npmjs.com/package/dicer
│ deps.dev: https://deps.dev/npm/dicer
└───────────────────────────────────────────────────────────
No deprecation, no archive — but unpatched ReDoS + zero maintenance. SCA blind spot.
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
🔴 replace pkg:golang/github.com/dgrijalva/jwt-go@3.2.0 EOL-Confirmed —
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 0 ok | ⚠️ 0 caution | 🔴 1 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:golang/github.com/dgrijalva/jwt-go@3.2.0 ────────────
│ ARCHIVE - Golang implementation of JSON Web Tokens (JWT).
│ This project is now maintained at:
│ 🔴 EOL-Confirmed: Repository archived or disabled
├─ Signals ─────────────────────────────────────────────────
│ Repo Archived: true
├─ Health ──────────────────────────────────────────────────
│ 📦 Archived
│ 10759 stars
│ Scorecard Overall: 2.8/10 Maintained: 0.0/10
│ Last Commit: 2021-08-02
├─ Releases ────────────────────────────────────────────────
│ Stable: v3.2.0+incompatible (2018-03-08) ⚠️ 2 advisories
│ HIGH (7.5) GHSA-w73w-5m7g-f7qc
│ GO-2020-0017
│ → https://deps.dev/go/github.com/dgrijalva/jwt-go/v3.2.0+incompatible
│ Highest (SemVer): v4.0.0-20210802184156-9742bd7fca1c+incompatible (2021-08-02)
├─ Links ───────────────────────────────────────────────────
│ Homepage: https://github.com/golang-jwt/jwt
│ Repository: https://github.com/dgrijalva/jwt-go
│ Registry: https://pkg.go.dev/github.com%2Fdgrijalva%2Fjwt-go
│ deps.dev: https://deps.dev/go/github.com/dgrijalva/jwt-go
└───────────────────────────────────────────────────────────
Successor is golang-jwt/jwt. Migrate immediately.
--- Summary Table ---
STATUS PURL LIFECYCLE BUILD
🔴 replace pkg:npm/request@2.88.2 EOL-Confirmed —
── Summary ─────────────────────────────────────────────────
│ 1 dependencies | ✅ 0 ok | ⚠️ 0 caution | 🔴 1 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
--- Detailed Report ---
--- PURL 1 ---
── pkg:npm/request@2.88.2 ──────────────────────────────────
│ 🏊🏾 Simplified HTTP request client.
│ 🔴 EOL-Confirmed: Deprecated in npm registry
├─ Signals ─────────────────────────────────────────────────
│ EOL Source: npmjs
├─ EOL ─────────────────────────────────────────────────────
│ Evidence (1):
│ [npmjs] Deprecated in npm registry (confidence 0.90)
│ ↳ https://registry.npmjs.org/request
├─ Health ──────────────────────────────────────────────────
│ 25577 stars
│ Used by: 186349 packages
│ Depends on: 20 direct, 26 transitive
│ Scorecard Overall: 3.6/10 Maintained: 0.0/10
│ Last Commit: 2020-02-11
├─ Releases ────────────────────────────────────────────────
│ Stable: 2.88.2 (2020-02-11) ⚠️ 1 advisory (+ 3 transitive) ⚠️ [DEPRECATED]
│ MEDIUM (6.1) GHSA-p8p7-x288-28g6
│ Transitive (via tough-cookie@2.5.0, qs@6.5.5, form-data@2.3.3):
│ MEDIUM (6.5) GHSA-72xf-g2v4-qvf3
│ LOW (3.7) GHSA-6rw7-vpxm-498p
│ GHSA-fjxv-7rqg-78g4
│ → https://deps.dev/npm/request/2.88.2
├─ Links ───────────────────────────────────────────────────
│ Repository: https://github.com/request/request
│ Registry: https://www.npmjs.com/package/request
│ deps.dev: https://deps.dev/npm/request
└───────────────────────────────────────────────────────────
186K dependents. npm deprecated with deprecation message, 1 direct advisory + 3 transitive advisories from vulnerable sub-dependencies. Last release 2020. Migrate immediately.
Sample Output — Table format (mixed statuses)
$ uzomuzo scan pkg:npm/express@4.18.2 pkg:npm/moment@2.29.4 \
pkg:golang/github.com/gorilla/mux@1.8.1 pkg:npm/dicer@0.3.1 \
pkg:golang/github.com/dgrijalva/jwt-go@3.2.0 pkg:npm/request@2.88.2 \
-f table
STATUS PURL LIFECYCLE BUILD
✅ ok pkg:npm/express@4.18.2 Active Hardened 9.3
✅ ok pkg:npm/moment@2.29.4 Legacy-Safe Moderate 4.7
⚠️ caution pkg:golang/github.com/gorilla/mux@1.8.1 Stalled Moderate 6.5
🔴 replace pkg:npm/dicer@0.3.1 EOL-Effective —
🔴 replace pkg:golang/github.com/dgrijalva/jwt-go@3.2.0 EOL-Confirmed —
🔴 replace pkg:npm/request@2.88.2 EOL-Confirmed —
── Summary ─────────────────────────────────────────────────
│ 6 dependencies | ✅ 2 ok | ⚠️ 1 caution | 🔴 3 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
Sample Output — go.mod input
$ uzomuzo scan --file go.mod -f table
STATUS PURL RELATION LIFECYCLE BUILD
🔴 replace pkg:golang/github.com/dgrijalva/jwt-go@v3.2.0+incompatible direct EOL-Confirmed —
⚠️ caution pkg:golang/github.com/gorilla/mux@v1.8.1 direct Stalled Moderate 6.5
✅ ok pkg:golang/github.com/stretchr/testify@v1.9.0 direct Active Moderate 6.7
── Summary ─────────────────────────────────────────────────
│ 3 dependencies | ✅ 1 ok | ⚠️ 1 caution | 🔴 1 replace | 🔍 0 review
└───────────────────────────────────────────────────────────
go.mod input adds a RELATION column showing direct or indirect dependency relationship.
Sample Output — GitHub Actions workflow input
$ uzomuzo scan --file .github/workflows/ci.yml -f detailed
── https://github.com/actions/checkout ─────────────────────
│ Description: Action for checking out a repo
│ ✅ Active
│ Reason: Recent human commits but no recent package publishing; maintenance score unavailable (Scorecard not found)
├─ Health ──────────────────────────────────────────────────
│ 7733 stars
│ Last Commit: 2026-01-09
├─ License ─────────────────────────────────────────────────
│ Project: MIT (github)
│ Requested Version: (none)
├─ Links ───────────────────────────────────────────────────
│ Homepage: https://github.com/features/actions
│ Repository: https://github.com/actions/checkout
└───────────────────────────────────────────────────────────
── https://github.com/actions/setup-go ─────────────────────
│ Package: pkg:golang/github.com/actions/setup-go@v6.4.0+incompatible
│ Description: Set up your GitHub Actions workflow with a specific version of Go
│ ✅ Active
│ Reason: Recent stable package version published with recent human commits; maintenance score ≥ 3
├─ Health ──────────────────────────────────────────────────
│ 1673 stars
│ Score: 6.1/10 Maintained: 10.0/10
│ Last Commit: 2026-03-17
├─ Releases ────────────────────────────────────────────────
│ Stable: v6.4.0+incompatible (2026-03-17)
├─ License ─────────────────────────────────────────────────
│ MIT (depsdev)
├─ Links ───────────────────────────────────────────────────
│ Repository: https://github.com/actions/setup-go
│ Registry: https://pkg.go.dev/github.com%2Factions%2Fsetup-go
│ deps.dev: https://deps.dev/go/github.com/actions/setup-go
└───────────────────────────────────────────────────────────
Workflow scan extracts uses: directives and evaluates each referenced Action as a GitHub repository.
npm / PyPI / Maven / Cargo / Go modules / NuGet / RubyGems / Packagist
- Multi-ecosystem support: 8 ecosystems with full PURL (Package URL) spec compliance
- Build integrity grading: Supply chain build tamper resistance assessment using Scorecard checks and SLSA provenance — details
- OpenSSF Scorecard integration: Automated security maturity metrics
- Parallel-optimized batch processing: 5,000+ PURLs/run with concurrent API orchestration
- Unified scan subcommand: Single entry point for PURL, GitHub URL, SBOM, go.mod — with
--fail-onCI exit code gating - Flexible input: Direct PURL / GitHub URL / file list / mixed / stdin pipe
- CSV / CLI reports: Comprehensive output of metrics, licenses, and lifecycle status
- Extensible via AnalysisEnricher hook: Inject custom EOL catalog logic without modifying core — details
- Embeddable as a Go library:
pkg/uzomuzo/facade for SaaS integration — details - Claude Code skills: LLM-powered analysis prompts for EOL risk assessment and dependency removal prioritization — details
- Automated monthly scanning: GitHub Actions workflow with Trivy SBOM generation and GitHub Issue publication, with Slack notifications available via GitHub issue subscriptions/integrations — details
Interfaces → Application → Domain ← Infrastructure
- Domain: Pure business logic — lifecycle decision tree, ecosystem models, entity definitions (no external dependencies)
- Application: Use case orchestration with
AnalysisEnricherhook pattern for pluggable EOL catalogs - Infrastructure: External APIs (deps.dev, GitHub GraphQL, Scorecard) / parallel processing / I/O
- Interfaces: CLI entry points / input validation (no concurrent logic)
See Data Flow for API integration diagram and two-path assessment architecture.
| Document | Overview |
|---|---|
| Usage | CLI commands, batch processing, filters, configuration, logging |
| Build Integrity | Supply chain build tamper resistance grading |
| Data Flow | API integration diagram, two-path assessment architecture |
| Integration Examples | Trivy/SBOM integration, container scanning, dependency tracing, GitHub Actions scheduled scanning |
| Landscape Comparison | Problem space, tool comparison, complementary usage |
| Library Usage | Go library API, Evaluator, Analysis type |
| PURL Identity Model | OriginalPURL / EffectivePURL / CanonicalKey 3-layer design |
| License Resolution | ResolvedLicense / normalization / fallback / promotion |
| Development Guide | SPDX updates, testing, performance, troubleshooting |
| Claude Code Skills | LLM-powered dependency analysis: EOL risk tracing + 6-axis removal evaluation |
Pronounced oo-zoh-moo-zoh — from the Japanese uzōmuzō (有象無象).
In Japanese Buddhist philosophy, uzō (有象) means "things with form" and muzō (無象) means "things without form." Together, uzōmuzō originally described "all things in the universe — the visible and the invisible."
Modern software supply chains are exactly that: a vast universe of seen (direct) and unseen (transitive) dependencies. uzomuzo illuminates this complexity — mapping every element of your dependency tree to bring clarity to the chaos.
Developed by kotakanbe, creator of Vuls — an open-source vulnerability scanner with 12,000+ GitHub stars. uzomuzo extends this mission from reactive vulnerability scanning to proactive supply chain lifecycle governance.
If you find uzomuzo useful, consider sponsoring the maintainer.
Apache License 2.0 — see LICENSE for details.