DEPTEX: Organization-First, Open Source Dependency Risk Monitoring

Abstract

Open-source software (OSS) dependencies introduce systemic risks that are difficult to manage at scale. Existing Software Composition Analysis (SCA) and reachability tools generate severe alert fatigue by treating risk as an intrinsic component property, ignoring semantic context and forcing enterprises into rigid compliance frameworks. We present Deptex, an organization-first, graph-based platform treating supply chain risk as emergent. Deptex introduces Execution Path Dominance (EPD), fusing Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to calculate a vulnerability's true operational blast radius. To handle bespoke compliance, Deptex abstracts governance into a programmable ``As Code'' engine, enabling security teams to natively enforce dynamic pull request policies, custom asset tiers, and external API integrations. By shifting from reactive scanning to context-aware governance, Deptex enables proactive, efficient, and aligned supply chain risk management.