open source · rust · 12 ecosystems

See how far every vulnerability reaches across your fleet.

fleetreach audits many repos in one pass and ranks what to patch by blast radius into a fix-this-first queue. Twelve ecosystems, sound Rust reachability, one binary — no server, no SBOM pipeline.

$ cargo install fleetreach-cli --features network

Get started Star on GitHub

The fleet question

One fix can clear many repos. fleetreach finds it.

Single-project scanners answer "is this repo vulnerable?". fleetreach answers the question a fleet actually has: which one fix clears the most repos, and in what order do I work?

fleetreach scan -c fleet.toml -f blast

Repos  Direct  Transitive  Fix       Severity      Advisory            Title
2      1       1           mixed     unknown       RUSTSEC-2025-0004   ssl select_next_proto UAF
1      1       0           manifest  critical 9.8  RUSTSEC-2021-0003   SmallVec::insert_many overflow
1      0       1           upstream  medium 6.2    RUSTSEC-2020-0071   Potential segfault in time

The lead row is a medium, not the critical — it is the one advisory present in two repos, so a single bump clears both. And the split tells you how: a transitive-only hit needs an upstream bump, not a manifest edit. That ranking is what repo-by-repo scanning can't give you.

Built for fleets

Everything you need to triage a whole portfolio.

Blast radius

Rank advisories by how many repos one fix clears, split direct vs transitive with a fix-path hint.

Remediation queue

A batched, sequenced list of exact dependency bumps — low-churn first, breaking jumps flagged.

Provenance, fleet-wide

--why serde answers "who pulls this in?" across every repo at once, no cargo tree spelunking.

Sound reachability

For Rust, a MIR call-graph analysis proves whether a vulnerable function is actually callable.

Twelve ecosystems

Rust, Go, npm, PyPI, RubyGems, Packagist, NuGet, Julia, Swift, Hex, Maven, GitHub Actions.

Fail-closed

A gap it cannot scan is never reported clean. A falsely-clean report is the worst possible output.

How it compares

A niche the popular scanners leave open.

Tool	Scans	Answers	Reachability	Shape
fleetreach	many repos, one pass	which fix clears the most repos, ranked	sound (Rust)	single binary
osv-scanner · Trivy · Grype	one project	"is this project vulnerable?"	experimental / none	binary
OWASP Dependency-Track	a portfolio	similar, but as a platform	no	a server you run

Want container scanning, a hosted dashboard, or single-repo CI checks? Those tools fit better. Want one command that answers "what is my fleet's dependency risk, and what do I fix first" — that's this.

Quickstart

Point it at a `fleet.toml`. Get one report.

List your repos once. fleetreach reads each lockfile, correlates across the fleet, and emits a ranked, CI-pipeable report — table, JSON, SARIF, or OpenVEX. Mixed Rust + Go + npm + … folds into one queue.

Read the docs

fleet.toml

[[repo]]
id   = "core-lib"
path = "../core-lib"

[[repo]]
id   = "services"
path = "../services"
glob = true   # discover **/Cargo.lock

[[repo]]
id        = "web"
path      = "../web"
ecosystem = "npm"  # or auto-detected

Continuous

Drop it into CI in three lines.

The bundled GitHub Action installs fleetreach, scans the repo, and uploads findings to the Security tab as SARIF.

.github/workflows/audit.yml

- uses: tess-fun/fleetreach@v1
  with:
    args: "--enrich --resolve-features"