Technical supply-chain evidence your team can inspect, defend, and ship with.
QuickChain connects SBOM generation, CVE correlation, reachability evidence, fix guidance, and exportable review packages.
The output is built for technical teams that need the details: where a finding came from, whether there is runtime evidence, what fix data exists, and how the result affects release policy.
How a QuickChain scan works today
The scan path is deterministic, evidence-first, and built around files technical teams already recognize.
Connect the repository
QuickChain currently supports GitHub and Bitbucket repository URLs. Authenticated scans clone the repository into a temporary scan directory and clean it up after the job finishes.
Generate merged SBOM evidence
Syft produces the primary CycloneDX SBOM. When cdxgen is available, QuickChain merges its output into the same component graph and tags source-tool evidence.
Correlate vulnerabilities and reachability
Grype scans the generated SBOM. Trivy filesystem results are merged when available. QuickChain adds reachability basis, confidence, evidence, remediation, and fix-version fields.
Export evidence packages
Technical teams and reviewers can download SBOM, OpenVEX, compliance, risk reduction, policy gate, and predictive-risk packages with manifests and SHA-256 hashes.
Every vulnerability needs context before it becomes work.
QuickChain stores the fields a technical reviewer needs to triage and explain a finding, then uses the same evidence for policy gates, reports, and business views.
What QuickChain supports now
The product is focused on repository-based supply-chain evidence, exportable standards, and repeatable review packages.
Repository integrations
- GitHub App installation
- Bitbucket OAuth and repository import
- Local scan target when configured
Scan engines
- Syft for primary SBOM generation
- cdxgen for supplemental SBOM context
- Grype for SBOM vulnerability correlation
- Trivy filesystem results when installed
Evidence formats
- CycloneDX JSON SBOM
- OpenVEX JSON
- CSV extracts
- DOCX executive reports
- XLSX workbooks
- ZIP packages with manifest hashes
Review workflows
- Policy gate pass, warn, fail output
- Risk reduction comparison between scans
- Compliance profile packages
- Predictive dependency risk action queue
The reachability layer starts with dependency and code evidence.
QuickChain checks known dependency manifests and scans code references to attach runtime evidence where the repository gives enough signal.
Dependency manifests
Code reference coverage
Technical questions
Does QuickChain store source code?
The scan backend uses a temporary clone directory for authenticated remote scans and removes it in the scan cleanup step. Persisted evidence is the generated SBOM, VEX, findings, summaries, and export artifacts.
How does QuickChain decide whether a CVE matters?
The product keeps scanner severity, package identity, fix evidence, reachability basis, runtime exposure, and known exploited or EPSS-style signals when they are present. The policy gate and predictive model use those signals to prioritize action.
Can technical teams still inspect the raw evidence?
Yes. The product keeps structured SBOM, VEX, finding, CSV, JSON, DOCX, XLSX, and package manifest outputs so technical reviewers can inspect the underlying data.
What ecosystems are strongest today?
The current reachability logic looks for common manifest files and code references across JavaScript, TypeScript, Python, Java, Go, Ruby, PHP, C#, Kotlin, Swift, and Rust projects.