Verified true positives.
Open PRs. Zero ceremony.
Your scanners produce 4,000 alerts. 12 matter. Verdict shows you which — verified against your code, your prod asset map, and your dependency graph. Then it opens the PR.
Connect GitHub or GitLab. Works on any tier — we scan your lockfiles against OSV ourselves, no Dependabot required.
No card. 5-min setup. Free during preview.
| Prototype pollution in lodash.mergewith | acme/billing-api | → 4.6.2 | |
| Live AWS access key leaked | acme/data-pipeline | → rotate | |
| axios SSRF via crafted URL | acme/billing-api | → 1.7.4 | |
| requests cert verification skipped | acme/ml-trainer | → 2.32.0 | |
| Outdated express with known DoS | acme/marketing-site | → 4.19.2 |
Verified, not detected
Seven deterministic stages — severity, EPSS, KEV, fix-availability, prod-asset, runtime-dep, and Tree-sitter import reachability. Findings that don't clear them go to Likely or Suppressed — never silently dropped.
Auto-PR / Merge Request
When the verifier says yes, Verdict opens a PR on GitHub or a Merge Request on GitLab — draft until CI is green, then ready to review. Monorepo-aware.
Works on any host, any tier
GitHub + GitLab. We scan your lockfiles against OSV ourselves — no Dependabot or GitLab Ultimate needed. Already have Snyk, Dependabot, or Trivy? We dedup them into one canonical finding.