Stop triaging false positives.

CA9 analyzes your Python codebase to prove if vulnerable dependencies are actually imported and executed. Turn noisy SCA alerts into a handful of actionable fixes.

View on GitHub

$ pip install ca9

$ ca9 check snyk_report.json --repo .

CVE-2024-XXXX requests REACHABLE
↳ Imported directly and executed in 4 coverage files.

CVE-2023-YYYY urllib3 UNREACHABLE
↳ Affected submodule 'urllib3.connection' is never imported.

Result: 90% of flagged CVEs are unreachable — only 2 require action.

How CA9 filters the noise

Ingest Alerts

Parses vulnerability reports directly from Snyk, Dependabot, Trivy, pip-audit, or OSV.dev.

Check Evidence

Scans your Python AST for specific submodule imports and checks pytest coverage for runtime execution.

Actionable Output

Spits out clean JSON, CLI tables, or SARIF files ready for GitHub Advanced Security and CI pipelines.

Real-world results

We ran CA9 against real Python projects scanned by leading SCA tools. Here's what happened to the noise.

Snyk scan

87%reduction

Snyk flagged 34 CVEs. CA9 proved only 4 were reachable.

34 flagged→ 4 actionable

pip-audit scan

92%reduction

pip-audit found 25 vulnerabilities. Only 2 were actually imported.

25 flagged→ 2 actionable

Trivy scan

78%reduction

Trivy reported 18 CVEs. CA9 narrowed it to 4 reachable issues.

18 flagged→ 4 actionable

Based on CA9 reachability analysis against real open-source Python projects.