#supply-chain

Generate Subresource Integrity (SRI) hashes for any web asset, so browsers can verify that a CDN-hosted script or stylesheet has not been tampered with. Pass a URL and the service fetches the asset and returns its sha256, sha384 and sha512 SRI hashes, the chosen integrity value (sha384 by default, or pass your preferred algorithm), the asset's size and content type, and a ready-to-paste <script> or <link> tag complete with the integrity and crossorigin attributes. A verify endpoint re-fetches the asset and tells you whether it still matches a known integrity string — catching silent CDN changes or supply-chain tampering before your users hit them. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for securing third-party scripts, supply-chain hardening, build pipelines and CSP/SRI compliance. A Subresource Integrity generator and verifier — distinct from raw cryptographic hashing of input data (hash), the HTTP security-header grader (secheaders) and the SSL/TLS certificate check (sslcheck). No upstream key, no cache.

api.oanor.com/sri-api

Software supply-chain and dependency intelligence as an API, powered by deps.dev — Google's Open Source Insights service. Across six package ecosystems (npm, PyPI, Maven, Cargo, Go and NuGet) it answers the questions a registry cannot: what does installing this package actually pull in, and how healthy is the project behind it. List a package's published versions and its default version; read a specific version's declared licenses, the keys of any known security advisories, useful links (source repository, homepage, issue tracker) and related projects; resolve a version's complete TRANSITIVE dependency graph — the total dependency count, the direct dependencies and every transitive node with its exact resolved version and whether it is a direct or indirect dependency; and look up a source project's OpenSSF Scorecard — the overall security score plus per-check results for Maintained, Code-Review, Branch-Protection, Dangerous-Workflow, Vulnerabilities and more — alongside its stars, forks, open issues, license and homepage. For Go modules and Maven artifacts the package name is the full module path or group:artifact (URL-encoded automatically). Ideal for dependency auditing, software-bill-of-materials (SBOM) enrichment, supply-chain risk assessment and license-compliance tooling. Data from deps.dev (Google, CC-BY).

api.oanor.com/depsdev-api

The Open Source Vulnerabilities database (OSV / osv.dev) as an API — the supply-chain security check for open-source dependencies. Scan any package version (PyPI, npm, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Hex and more) and instantly learn whether it is affected by known vulnerabilities, with each advisory's severity, CVSS score, CVE aliases, CWE weakness and references; list every advisory ever published for a package; and look up a single advisory (GHSA, PYSEC, GO, RUSTSEC, CVE…) in full detail, including the affected packages and version ranges. Live from Google's official OSV.dev database, which aggregates GitHub Security Advisories, PyPA, RustSec, Go and many other sources. Ideal for dependency scanning, SBOM and supply-chain tooling, CI security gates and devsecops dashboards. Open data.

api.oanor.com/osv-api