D-SCAN

Inspiration

The inspiration for D-SCAN came from the growing threat of Dependency Confusion attacks. I observed how easily modern build systems can be tricked into pulling malicious public packages instead of intended private ones. Seeing how major organizations were vulnerable to these "phantom" dependencies, I felt a strong need to build a tool that gives developers a clear, automated way to audit their supply chain and catch these gaps before they are exploited.

What it does

D-SCAN is a high-speed security scanner that audits GitHub organizations to identify vulnerable or missing npm packages. It crawls through repositories, extracts every package.json manifest, and cross-references them against the public npm registry. If a dependency is listed in the code but does not exist on the public registry, D-SCAN flags it as a critical risk vector for Remote Code Execution (RCE) and registry hijacking.

How we built it

The core engine is built using JavaScript and Asynchronous Logic to handle large-scale data fetching. We integrated the GitHub Search API to locate manifests and the npm Registry API for verification. For the intelligence layer, we utilized the Gemini API to provide real-time security briefings and threat analysis. The UI was designed with a "Cyber-Security Console" aesthetic using CSS3 and HTML5, ensuring that complex security data remains readable and actionable.

Challenges we ran into

The biggest technical hurdle was navigating API Rate Limiting. Scanning an entire organization involves hundreds of requests, which triggers GitHub’s security thresholds. I had to implement a custom batched pagination strategy to stay within limits. Additionally, managing asynchronous complexity was tough; I used AbortController to ensure the browser wouldn't freeze or crash while processing thousands of concurrent dependency checks.

Accomplishments that we're proud of

I am particularly proud of the Ultra-Fast Failover system. If the AI or GitHub APIs experience latency, the tool seamlessly switches to a local threat database without interrupting the user experience. Achieving a "zero-stuck" UI while performing heavy network operations is a major milestone for this project.

What we learned

This project was a masterclass in Supply Chain Anatomy. I learned exactly how package managers resolve versions and the mathematical risks involved in dependency mapping.

I also gained deep experience in API Orchestration and designing resilient systems that can handle "graceful degradation" during network failures.

What's next for D-SCAN

The next phase for D-SCAN involves expanding beyond npm to support PyPI (Python) and Go Modules. I also plan to integrate Webhooks so that D-SCAN can automatically alert security teams the moment a new, suspicious dependency is added to a repository's main branch.

Built With

• css
• gemini-api
• html
• javascript