rorixrorixdashboard →

Application security
for modern
engineering teams.

Supply chain, runtime testing, and registry controls in one platform. Start with dependency scanning — expand to pentesting and package governance when you need it.

Start scanningView sample reportSee how Rorix compares with Dependabot →
~/rorix/scan · net8.0
$
dependency graph · 33 shown / 847 total3 vulnerable paths
vulnerablecleanpath
// 01 · PRODUCTS

Start with supply chain. Expand when you need more.

The buying wedge is straightforward: secure NuGet usage first, then layer on runtime testing and stricter package controls.

Supply Chain

Audit NuGet dependencies the way .NET teams actually work: full graph resolution, SBOM export, license controls, typosquat detection, and CI-ready workflows.

NuGet vulnerability audits with EPSS context
CycloneDX and SPDX SBOM exports
License policy and ownership controls
Typosquat and dependency-confusion signals
Dependency graph with vulnerable path tracing
GitHub Action and CLI-based workflows
// live audit · MyApp.Web.csprojscanning…
OKNewtonsoft.Json13.0.30 vulns
CRITSystem.Text.Json6.0.0CVE-2024-30105 · 9.8
HIGHAzure.Identity1.10.0CVE-2024-21386 · 7.5
OKSerilog3.1.10 vulns
MEDIdentityServer44.1.2EOL · 6.5
OKEntityFrameworkCore8.0.20 vulns
OKAutoMapper12.0.10 vulns
Scan your project →See the .NET comparison

Pentesting

Run verified scans against the apps and APIs you own. Useful after you have dependency visibility in place.

  • DNS-based domain verification
  • Nuclei plus API fuzzing
  • Structured executive reports
Run a pentest →

Registry

A controlled NuGet intake layer with provenance, allowlists, and policy enforcement before packages reach production.

  • Package approval workflows
  • Provenance and rebuild checks
  • Organization policy controls
Govern packages →
// 02 · WORKFLOW

From scan to fix in minutes

A complete security workflow that plugs into the repos and pipelines you already run.

Scan every .NET format

Upload a .csproj, point at a .sln, or trigger via CI. Rorix auto-discovers all project files and resolves the full dependency graph — including transitive packages across target frameworks.

  • .csproj, .sln, packages.config
  • Directory.Packages.props, global.json
  • nuget.config, .deps.json, lock files
discovered 5 files · 989 packages resolved
01src/Api/Contoso.Web.Api.csproj142 pkgs
02src/Core/Contoso.Core.csproj89 pkgs
03tests/Contoso.Tests.csproj47 pkgs
04Directory.Packages.props12 pkgs
05global.json5 pkgs
// 03 · CAPABILITIES

Everything you need to ship securely

Dependency scanning today. Runtime testing and registry governance when you're ready to expand.

CRITICAL1HIGH3MED3LOW3CVSS v3.1
10.07.55.02.50
9.8
8.1
7.5
7.2
6.5
5.4
4.8
3.7
3.1
2.4
Json
Json
Identity
Sql
IdentityServer4
File
AutoMapper
Polly
FluentValidation
MediatR

Vulnerability Scanning

Deep audit with CVSS scores, CWE IDs, fix versions, and remediation guidance powered by OSV, GHSA, NVD, and EPSS exploit prediction.

{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"components": 989
}

SBOM Generation

CycloneDX 1.6 and SPDX 2.3 with full license data included.

MIT412
Apache-2.0318
BSD-3104
AGPL-3.02
Unknown8

License Compliance

Classify licenses as permissive, copyleft, or unknown. Enforce allowlist and blocklist policies.

Newtonsof.Json
distance 1
Newtonsoft.Json

Typosquatting Detection

Levenshtein distance analysis against top NuGet packages to catch malicious name squatting.

Dependency Graph

Interactive visualization of your full dependency tree with transitive path highlighting.

.csproj.slnpackages.configDirectory.Packages.propsglobal.jsonnuget.config.deps.json

All .NET Formats

.csproj, .sln, packages.config, Directory.Packages.props, global.json, nuget.config, .deps.json.

gradeA
vulns0

Embeddable Badges

SVG badges for your README showing live security grade and vulnerability count.

✓ PR #482 — scan passed
✗ PR #481 — 2 critical
✓ PR #480 — scan passed
⚠ PR #479 — 1 license warn

GitHub Action

Audit on every PR. Auto-comment results, fail on critical vulnerabilities or grade thresholds.

// 04 · DEVELOPER SURFACES

Lives where your team already works

A GitHub App that reviews every PR, and a CLI that runs anywhere. Same findings, same grades, same policies.

GITHUB APP · INSTALL IN 30s

Every pull request, reviewed.

Rorix installs as a GitHub App, runs on every PR, and posts a checks summary plus an auto-comment with CVE context, fix paths, and the exact packages that changed.

  • Blocking checks on critical/high vulnerabilities
  • Auto-comments with diff of added & bumped packages
  • Policy overrides with approval trail
  • Status badge grade on every PR
!rorix / supply-chain— 3 high-severity findingsDetails
rorix / sbom— CycloneDX 1.6 generated · 847 components
rorix / license— 0 policy violations · 2 unknown
rorix-botcommented on #482just now
▲ Supply chain report · grade D
Found 3 high, 7 medium advisories across bumped packages.
System.Text.Json 6.0.0 → 8.0.5 resolves CVE-2024-30105
CLI · ONE BINARY

Scriptable. Pipeable. CI-native.

The same engine as the GitHub App, available anywhere a shell runs. Ship it in Docker, Jenkins, GitLab, TeamCity, or your own laptop.

~/acme · rorix@2.4.1
$ rorix scan ./src --sbom cyclonedx
discovering projects...
▸ Contoso.Web.Api.csproj net8.0 84 deps
▸ Contoso.Core.csproj net8.0 312 deps
▸ Contoso.Tests.csproj net8.0 41 deps
resolving transitive graph... 847 nodes
✗ 3 HIGH System.Text.Json@6.0.0 CVE-2024-30105
✗ 2 HIGH Newtonsoft.Json@12.0.3 CVE-2024-21907
▲ 7 MED see: rorix audit --details
✓ sbom.cdx.json written (847 components)
// 05 · BADGES

Embeddable badges for your README

Show your security posture with live-updating SVG badges. Drop them into any README, wiki, or dashboard.

PREVIEW
rorixA
vulns0
sbomok
licenseok
TRY IT
grade
vulns0
README.mdmarkdown
<!-- Grade badge -->
![rorix](https://rorix.io/api/badge/audit?type=grade&csproj=URL)

<!-- Vuln count badge -->
![vulns](https://rorix.io/api/badge/audit?type=vulns&csproj=URL)

<!-- SBOM available -->
![sbom](https://rorix.io/api/badge/audit?type=sbom&csproj=URL)
0+
NuGet packages monitored
refreshed hourly
0+
Known vulnerabilities tracked
OSV + GHSA + NVD + vendor
0
.NET project formats supported
.csproj to .deps.json
0
Advisory sources aggregated
cross-referenced per scan
// 06 · INTEGRATIONS

Fits into your stack on day one

No rip-and-replace. Works with the tools you already use.

GitHub
Azure DevOps
NuGet
GitLab CI
Jenkins
JetBrains
Slack
Jira
Teams
PagerDuty
GitHub
Azure DevOps
NuGet
GitLab CI
Jenkins
JetBrains
Slack
Jira
Teams
PagerDuty
GitHub
Azure DevOps
NuGet
GitLab CI
Jenkins
JetBrains
Slack
Jira
Teams
PagerDuty
// 07 · ENTERPRISE

Enterprise ready from day one

Built with the guardrails your security and compliance teams require.

SSO + SCIM

SAML 2.0, OIDC, and SCIM user provisioning. Okta, Azure AD, Google Workspace.

Role-based Access

Scoped permissions for engineers, security, and leadership. Per-repo and per-team controls.

Compliance Reports

Pre-built templates for SOC 2 Type II, ISO 27001, FedRAMP, and PCI DSS 4.0. Exportable PDF and CSV evidence.

Audit Trail

Every scan, policy change, override, and user action logged with timestamp and actor. SIEM integration via webhooks.

◆ start in 30 seconds

Scan your first NuGet project
in 30 seconds.

Start with the dependency graph your team already ships. Get vulnerability, SBOM, license, and typosquat coverage without buying a full AppSec platform first.

Start scanning →View sample report
See the GitHub Action path