Stop triaging false positives.
CA9 analyzes your Python codebase to prove if vulnerable dependencies are actually imported and executed. Turn noisy SCA alerts into a handful of actionable fixes.
View on GitHub
$ pip install ca9
$ ca9 check snyk_report.json --repo .
CVE-2024-XXXX requests REACHABLE
↳ Imported directly and executed in 4 coverage files.
CVE-2023-YYYY urllib3 UNREACHABLE
↳ Affected submodule 'urllib3.connection' is never imported.
Result: 90% of flagged CVEs are unreachable — only 2 require action.
CVE-2024-XXXX requests REACHABLE
↳ Imported directly and executed in 4 coverage files.
CVE-2023-YYYY urllib3 UNREACHABLE
↳ Affected submodule 'urllib3.connection' is never imported.
Result: 90% of flagged CVEs are unreachable — only 2 require action.
How CA9 filters the noise
1
Ingest Alerts
Parses vulnerability reports directly from Snyk, Dependabot, Trivy, pip-audit, or OSV.dev.
2
Check Evidence
Scans your Python AST for specific submodule imports and checks pytest coverage for runtime execution.
3
Actionable Output
Spits out clean JSON, CLI tables, or SARIF files ready for GitHub Advanced Security and CI pipelines.