← Back to blog

Why We Built OtterSight — OSS Dependency Scanning with EU Vulnerability Database

The story behind OtterSight: why we built an open-source SCA scanner that integrates the EU Vulnerability Database (EUVD) for better NIS2 compliance.

SCAEUVDopen-sourcesecurityNIS2

Every developer has a package-lock.json or Cargo.lock or go.sum. Every developer has vulnerabilities hiding in it. Most of them never find out until it’s too late.

That’s why we built OtterSight.

The Problem: SCA Tools Are Built for Enterprises, Not Developers

Software Composition Analysis (SCA) — scanning your dependencies for known vulnerabilities — is no longer optional. Regulations like NIS2 and the EU Cyber Resilience Act (CRA) are making it mandatory. And even without regulation, the reality is stark: the vast majority of modern software vulnerabilities come not from code you wrote, but from code you imported.

Yet when you look at the SCA tool landscape, the picture is bleak if you’re not a Fortune 500 company.

Snyk’s free tier limits you to 200 open-source tests per month. GitHub Dependabot is useful but shallow: it alerts on individual packages but gives you no SBOM, no EPSS scoring, no EUVD integration, and no way to see your full security posture across multiple repos at a glance. Grype is excellent at scanning but has no hosted dashboard, no scheduling, and no notification system.

Indie developers, freelancers, small agencies, and startups — the people building most of the world’s software — are left with fragmented, enterprise-oriented tools or overly basic solutions that don’t give them the depth they need.

We wanted something in between: powerful enough to surface real risk, simple enough to be set up in minutes, and priced for a solo developer’s budget.

The Hidden Cost of Ignoring Dependencies

Let’s be concrete about the risk. The Log4Shell vulnerability (CVE-2021-44228) affected millions of Java applications not because developers wrote vulnerable logging code, but because they imported Apache Log4j. The XZ Utils backdoor nearly compromised SSH servers across the Linux ecosystem through a dependency that most operators didn’t even know they had.

These aren’t edge cases. The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) reported that 52% of known exploited vulnerabilities in their KEV catalog are in third-party software components — not in custom application code. Your lock file is your attack surface.

Most developers acknowledge this risk. Few have the tooling to act on it.

Why We Chose Syft + Grype as the Scanning Engine

We didn’t reinvent the scanning wheel. We didn’t need to.

Syft is the best open-source SBOM (Software Bill of Materials) generator available today. It supports 20+ package ecosystems — npm, PyPI, Cargo, Go modules, Maven, RubyGems, and more — and produces industry-standard CycloneDX and SPDX output. Anchore’s team has done extraordinary work making Syft accurate, fast, and well-maintained.

Grype takes an SBOM from Syft and matches components against vulnerability databases: NVD, GitHub Security Advisories, OSV, and more. It’s accurate, actively maintained, and battle-tested across thousands of production environments.

By standing on top of these OSS giants, OtterSight inherits their scanning quality and stays up to date as they improve. Our job is to orchestrate them, enrich their output, and make the results actionable — not to rebuild vulnerability detection from scratch.

This separation of concerns is a deliberate architectural choice. When Syft adds support for a new ecosystem (like it did with Swift Package Manager), OtterSight automatically inherits that coverage. When Grype improves its matching accuracy, our users get better results. We stay focused on the layer where we can add unique value: enrichment, scheduling, notifications, and the user interface.

What Makes OtterSight Different

EUVD Integration — The EU Vulnerability Database

This is the biggest differentiator that most developers don’t even know they need yet.

The EU Vulnerability Database (EUVD) is operated by ENISA — the European Union Agency for Cybersecurity. It launched in 2024 as a European complement to the US NIST National Vulnerability Database (NVD). The EUVD aggregates vulnerabilities from multiple sources, includes ENISA curation and context, and is specifically designed to support EU regulatory compliance.

Here’s the thing: the NVD has been struggling. NIST suspended NVD enrichment for months in 2024, leaving a backlog of thousands of CVEs without severity scores or impact data. For EU-based organizations subject to NIS2, relying solely on the NVD means you’re missing European context and potentially non-compliant.

OtterSight queries the EUVD for every vulnerability it finds. If an EUVD entry exists, we surface it alongside the CVE data — giving you European context, ENISA notes, and EU-specific severity assessments. No other SCA scanner we know of does this.

EPSS + KEV Scoring

Not all CVEs are equal. A critical CVE with a CVSS score of 9.8 that was patched years ago and has never been exploited in the wild is very different from a high-severity vulnerability that CISA has added to its Known Exploited Vulnerabilities (KEV) catalog.

OtterSight enriches every vulnerability with:

  • EPSS score (Exploit Prediction Scoring System): a machine-learning model that estimates the probability a vulnerability will be exploited in the wild within 30 days. Scores range from 0 to 1.
  • KEV flag: whether the vulnerability is on CISA’s KEV catalog, meaning it’s been actively exploited.

This means you can immediately prioritize. A CVE that’s KEV-listed should be fixed this week. A CVE with EPSS < 0.01% can likely wait for your next scheduled maintenance window.

300+ Notification Channels via Apprise

Security alerts are only useful if they reach you. OtterSight uses Apprise to send notifications to over 300 channels: Slack, Discord, PagerDuty, Telegram, email, webhooks, and hundreds more.

No proprietary notification infrastructure. No vendor lock-in. Just configure your Apprise URL and you’ll get alerts wherever your team already works.

GDPR-Native by Design

All scan data lives on Hetzner servers in Germany. We never send your code, your SBOMs, or your vulnerability data to US cloud providers. Git repositories are cloned ephemerally — they’re deleted from our servers immediately after scanning. Only the vulnerability metadata (not your code) persists.

For EU companies subject to GDPR, this is a meaningful difference from tools that route your data through US data centers.

The Open-Source Approach

OtterSight has two layers:

@ottersight/cli — The scanning core is open source under the MIT license. Install it with npm install -g @ottersight/cli or use it via npx @ottersight/cli scan .. No account required. It runs Syft + Grype locally, enriches results with EUVD + KEV + EPSS data, and gives you a colored terminal report or markdown export.

npx @ottersight/cli scan .

This is genuinely free and open source. You can read the code, contribute, and run it as part of your CI pipeline without paying anything.

OtterSight Cloud — The hosted service adds everything that’s hard to run yourself: a web dashboard with your full security posture across all repos, scheduled automatic scans, historical vulnerability tracking, team notifications, and plan-based access controls. It’s built on top of the same @ottersight/cli core.

We believe in the open-core model because it aligns our incentives with our users. The CLI being MIT-licensed means you can always inspect exactly what we’re doing with your code (the answer: nothing, it runs locally). The hosted service is where we monetize, but it has to earn your trust by being meaningfully better than running the CLI yourself.

The EU Compliance Angle: NIS2, CRA, and Why This Matters Now

The NIS2 Directive (Network and Information Security Directive 2) came into force in January 2023 and required EU member states to transpose it by October 2024. It expands the scope of cybersecurity obligations significantly beyond the original NIS1, covering more sectors and more types of organizations.

Among other requirements, NIS2 mandates that organizations in scope implement risk management measures including “policies on the use of cryptography and, where appropriate, encryption” and measures to address “supply chain security” — which includes knowing what software components you’re running and whether they’re vulnerable.

The EU Cyber Resilience Act (CRA), which was adopted in late 2024, goes further: it requires manufacturers of products with digital elements (including software) to produce and maintain Software Bills of Materials. This is coming for everyone building software that touches EU consumers or businesses.

The EUVD is ENISA’s contribution to making this compliance tractable. By maintaining a European vulnerability database with EU-specific context, ENISA gives organizations a canonical reference point for their NIS2 vulnerability management obligations.

OtterSight is built for this world. SBOM generation (via Syft, CycloneDX format), EUVD cross-referencing, and structured vulnerability reporting are core features — not add-ons.

What’s Next

OtterSight Cloud is launching with four tiers:

  • Free: 3 repos, weekly scans, 1 user
  • Indie (€9/month): 10 repos, automatic daily monitoring, priority queue
  • Team (€29/month): 30 repos, automatic daily monitoring, 5 users
  • Business (€79/month): 100 repos, hourly monitoring, unlimited users

Founding Members get a locked rate of €5/mo forever — 15 repos, automatic daily monitoring + manual scans anytime, full SBOM + CVE + EUVD coverage. Only 100 spots available.

The CLI is available now on npm and GitHub. We’d love your feedback, bug reports, and contributions.

Join the Waitlist

If you’re building software that runs in the EU, or if you just want better dependency security than Dependabot alone provides, OtterSight is for you.

Become a Founding Member at ottersight.com/founding — €5/mo locked forever, 100 spots only.

The otter is watching your dependencies. So you don’t have to.