Supported package ecosystems

A high-level summary of all package detection capabilities across ecosystems

The table below shows which ecosystems support package analysis and vulnerability scanning.

What do these columns mean?

For a detailed explanation of the columns in the table, please see the Capabilities overview.

Ecosystem	Cataloger + Evidence	Licenses	Dependencies	Files
Ai	gguf-cataloger `*.gguf`
ALPM	alpm-db-cataloger `var/lib/pacman/local/**/desc`
APK	apk-db-cataloger `lib/apk/db/installed`
Binary	binary-classifier-cataloger arangodb-binary`arangosh` bash-binary`bash` busybox-binary`busybox` chrome-binary`chrome` consul-binary`consul` curl-binary`curl` dart-binary`dart` elixir-binary`elixir` elixir-library`elixir/ebin/elixir.app` erlang-alpine-binary`beam.smp` erlang-binary`erlexec` erlang-library`liberts_internal.a` ffmpeg-binary`ffmpeg` ffmpeg-library`libav`, `libswresample` fluent-bit-binary`fluent-bit` gcc-binary`gcc` go-binary`go` go-binary-hint`VERSION` gzip-binary`gzip` haproxy-binary`haproxy` hashicorp-vault-binary`vault` haskell-cabal-binary`cabal` haskell-ghc-binary`ghc` haskell-stack-binary`stack` helm`helm` httpd-binary`httpd` java-binary`java` java-jdb-binary`jdb` jq-binary`jq` julia-binary`libjulia-internal.so` lighttpd-binary`lighttpd` mariadb-binary`{mariadb,mysql}` memcached-binary`memcached` mysql-binary`mysql` nginx-binary`nginx` nodejs-binary`node` openssl-binary`openssl` perl-binary`perl` php-composer-binary`composer` postgresql-binary`postgres` proftpd-binary`proftpd` pypy-binary-lib`libpypy.so` python-binary`python` python-binary-lib`libpython.so` redis-binary`redis-server` ruby-binary`ruby` rust-standard-library-linux`libstd-.so` rust-standard-library-macos`libstd-.dylib` sqlcipher-binary`sqlcipher` swipl-binary`swipl` traefik-binary`traefik` util-linux-binary`getopt` wordpress-cli-binary`wp` xtrabackup-binary`xtrabackup` xz-binary`xz` zstd-binary`zstd`
	elf-binary-package-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
	pe-binary-package-cataloger `.dll`, `.exe`
Bitnami	bitnami-cataloger `/opt/bitnami/*/.spdx-.spdx`
C/C++	conan-cataloger `conan.lock`
	conan-cataloger `conanfile.txt`
	conan-info-cataloger `conaninfo.txt`
Conda	conda-meta-cataloger `conda-meta/*.json`
Dart	dart-pubspec-cataloger `pubspec.yml`, `pubspec.yaml`
Dart	dart-pubspec-lock-cataloger `pubspec.lock`
DPKG	deb-archive-cataloger `*.deb`
DPKG	dpkg-db-cataloger `lib/dpkg/status`, `lib/dpkg/status.d/`, `lib/opkg/info/.control`, `lib/opkg/status`
Elixir	elixir-mix-lock-cataloger `mix.lock`
Erlang	erlang-otp-application-cataloger `*.app`
Erlang	erlang-rebar-lock-cataloger `rebar.lock`
GitHub Actions	github-action-workflow-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
	github-actions-usage-cataloger `.github/actions//action.yml`, `.github/actions//action.yaml`
	github-actions-usage-cataloger `.github/workflows/.yaml`, `.github/workflows/.yml`
Go	go-module-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)
Go	go-module-file-cataloger `go.mod`
Haskell	haskell-cataloger `cabal.project.freeze`
	haskell-cataloger `stack.yaml.lock`
	haskell-cataloger `stack.yaml`
Homebrew	homebrew-cataloger `Cellar///.brew/.rb`, `Library/Taps///Formula/.rb`
Java	graalvm-native-image-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable` (mimetype)
	java-archive-cataloger `.jar`, `.war`, `.ear`, `.par`, `.sar`, `.nar`, `.jpi`, `.hpi`, `.kar`, `.lpkg`
	java-archive-cataloger `*.zip`
	java-archive-cataloger `.tar`, `.tar.gz`, `.tgz`, `.tar.bz`, `.tar.bz2`, `.tbz`, `.tbz2`, `.tar.br`, `.tbr`, `.tar.lz4`, `.tlz4`, `.tar.sz`, `.tsz`, `.tar.xz`, `.txz`, `.tar.zst`, `.tzst`, `.tar.zstd`, `*.tzstd`
	java-gradle-lockfile-cataloger `gradle.lockfile*`
	java-jvm-cataloger `release`
	java-pom-cataloger `*pom.xml`
JavaScript	javascript-lock-cataloger `pnpm-lock.yaml`
	javascript-lock-cataloger `yarn.lock`
	javascript-lock-cataloger `package-lock.json`
	javascript-package-cataloger `package.json`
Linux	linux-kernel-cataloger `kernel`, `kernel-`, `vmlinux`, `vmlinux-`, `vmlinuz`, `vmlinuz-`, `lib/modules//.ko`
Lua	lua-rock-cataloger `*.rockspec`
.NET	dotnet-deps-binary-cataloger `.deps.json`, `.dll`, `*.exe`
	dotnet-deps-cataloger deprecated `*.deps.json`
	dotnet-packages-lock-cataloger `packages.lock.json`
	dotnet-portable-executable-cataloger deprecated `.dll`, `.exe`
Nix	nix-cataloger `nix/var/nix/db/db.sqlite`, `nix/store/`, `nix/store/.drv`
Nix	nix-store-cataloger deprecated `nix/store/`, `nix/store/.drv`
OCaml	opam-cataloger `*opam`
PHP	php-composer-installed-cataloger `installed.json`
	php-composer-lock-cataloger `composer.lock`
	php-interpreter-cataloger `php//.so`, `php-fpm`, `apache/*/libphp.so`
	php-pear-serialized-cataloger `php/.registry/*/.reg`
	php-pecl-serialized-cataloger deprecated `php/.registry/.channel./.reg`
Portage	portage-cataloger `var/db/pkg///CONTENTS`
Prolog	swipl-pack-cataloger `pack.pl`
Python	python-installed-package-cataloger `.egg-info`, `dist-info/METADATA`, `egg-info/PKG-INFO`, `DIST-INFO/METADATA`, `*EGG-INFO/PKG-INFO`
	python-package-cataloger `pdm.lock`
	python-package-cataloger `uv.lock`
	python-package-cataloger `setup.py`
	python-package-cataloger `Pipfile.lock`
	python-package-cataloger `poetry.lock`
	python-package-cataloger `requirements.txt`
R	r-package-cataloger `DESCRIPTION`
RPM	rpm-archive-cataloger `*.rpm`
	rpm-db-cataloger `var/lib/rpmmanifest/container-manifest-2`
	rpm-db-cataloger `{var/lib,usr/share,usr/lib/sysimage}/rpm/{Packages,Packages.db,rpmdb.sqlite}`
Ruby	ruby-gemfile-cataloger `Gemfile.lock`
	ruby-gemspec-cataloger `*.gemspec`
	ruby-installed-gemspec-cataloger `specifications/*/.gemspec`
Rust	cargo-auditable-binary-cataloger `application/x-executable`, `application/x-mach-binary`, `application/x-elf`, `application/x-sharedlib`, `application/vnd.microsoft.portable-executable`, `application/x-executable` (mimetype)
Rust	rust-cargo-lock-cataloger `Cargo.lock`
SBOM	sbom-cataloger `.syft.json`, `.bom.`, `.bom`, `bom`, `.sbom.`, `.sbom`, `sbom`, `.cdx.`, `.cdx`, `.spdx.`, `*.spdx`
Snap	snap-cataloger `snap/snapcraft.yaml`
	snap-cataloger `snap/manifest.yaml`
	snap-cataloger `doc/linux-modules-*/changelog.Debian.gz`
	snap-cataloger `usr/share/snappy/dpkg.yaml`
	snap-cataloger `meta/snap.yaml`
Swift	cocoapods-cataloger `Podfile.lock`
Swift	swift-package-manager-cataloger `Package.resolved`, `.package.resolved`
Terraform	terraform-lock-cataloger `.terraform.lock.hcl`
WordPress	wordpress-plugins-cataloger `wp-content/plugins//.php`

Legend:

: Supported by default
: Conditionally supported (requires configuration)
(empty): Not supported

Last modified November 26, 2025:allow local too invocation (d20d613)