DEV Community

Huỳnh Lê Nhất Nghĩa
Huỳnh Lê Nhất Nghĩa

Posted on

Introducing Synapse: a deterministic-first, open-source SCA and evidence platform

We just open-sourced Synapse, a governed control plane for software composition analysis,
recon, evidence, and reporting. It is built for people who have to scan a dependency tree,
prove what they found, and hand over a report that holds up.

Why we built it

The usual workflow is fragmented. One tool for the SBOM, another for vulnerabilities, a
spreadsheet for licenses, a folder of screenshots for evidence, and a report you assemble by
hand. Nothing is reproducible, and when a client asks "how do you know this is real," the
answer lives in someone's memory. Adding an LLM that writes your findings only makes that
worse. We wanted the opposite: fast, but provable.

What it is

Synapse runs the assessment lifecycle behind one control plane, in Go, clean architecture. A
few ideas hold it together:

  • Deterministic-first. Scanning, matching, license classification, and reporting are pure, reproducible Go. There is no model in the report path.
  • Scope-gated execution. Every engagement carries a scope and an authorization window, enforced server-side before any tool runs. Tools run via argument arrays, never a shell string.
  • Tamper-evident evidence. Every artifact is hash-chained and append-only. A broken chain blocks the report.
  • Bounded automation. The optional AI layer only ever proposes. A distinct verifier or a human confirms. The agent can never confirm its own claim.

What it does today: SBOM across 15+ ecosystems, multi-source vulnerability detection with
risk-based prioritization (KEV, then EPSS, then CVSS), license compliance, reachability, and
deterministic reports in CycloneDX, SPDX, SARIF, and OpenVEX.

Try it

git clone https://github.com/KKloudTarus/synapse-ce.git
cd synapse-ce
docker compose -f deploy/docker-compose.full.yml up --build
# open http://localhost:5173
Enter fullscreen mode Exit fullscreen mode

Or gate CI on real risk: ./bin/synapse-cli scan . --fail-on high.

We are looking for contributors

Synapse is open source because this kind of tool gets better with more eyes on it. Good places
to jump in:

  • New ecosystems and lockfile parsers
  • Detection quality and false-positive reduction
  • Reachability and SAST coverage
  • Reporting and standards (OpenVEX, CSAF, SARIF)
  • The dashboard (Vite, React, Tailwind) and the docs

Start with the documentation
and CONTRIBUTING, run it
locally, then open an issue or send a pull request.

One note: Synapse is for authorized security testing only. It validates scope data but cannot
verify your legal authorization, so use it only against systems you are allowed to test.

If it looks useful, a star helps other people find it, and if you want to build with us, open
an issue and say hello.

Top comments (1)

Collapse
 
truong_an_cornduck profile image
Truong An

Tuỵt zờiiiiiii