Open-Source Reachability-Based CVE Triage for Node.js and Python Container Images

dev tool real project •• multiple requests

Teams pull SBOMs and find 1,400+ packages where their app actually imports 60. Every quarter is a sprint of triaging hundreds of CVEs in code paths that are physically unreachable. Snyk and Endor Labs do reachability analysis as commercial features; OSS scanners (Trivy, Grype, OSV-Scanner) flag the universe.

builder note

Don't try to be a scanner. Be the post-processor: take Trivy/Grype output and the project's source tree, produce a filtered list with reachability evidence (file:line that calls the vulnerable symbol). Sells itself to anyone drowning in Dependabot tickets.

landscape (5 existing solutions)

Reachability is a known-best-practice with no good open-source implementation for the languages where it matters most: Node and Python. Whoever ships a Babel/AST-based static call-graph + EPSS/KEV cross-reference for these two ecosystems eats Snyk's lunch in OSS land.

Snyk Open Source Reachability is the paid tier, paywalled features and per-developer pricing rule it out for small teams.

Endor Labs Strong reachability but enterprise-only sales and pricing.

OSV-Scanner v2 Guided remediation only for npm and Maven; no Python; no call-graph reachability.

Trivy / Grype Universe-of-CVEs scanners — they don't tell you which findings are reachable, so the noise is what you started with.

Chainguard / Minimus distroless Solves it via 'ship less', but Node and Python runtimes can't go static — half the industry's stack stays bloated.

sources (2)

reddit https://www.reddit.com/r/sre/comments/1sxhsoh/90_of_cves_in_... "We spend roughly a sprint a quarter triaging stuff that isnt reachable." 2026-04-27

reddit https://www.reddit.com/r/sre/comments/1sxhsoh/90_of_cves_in_... "Reachability-based triage — only act on CVEs in code paths your app executes." 2026-04-27

securitysbomcvesupply-chainnode-python