Links

listen.dev Documentation

Welcome to the documentation page. Use this as a resource to understand key concepts and get started.

What is listen.dev?

listen.dev provides transparency and control over open source software dependencies.
For developers, it provides dev-time feedback within existing workflows, enabling informed decisions on security, actionable insights for issue resolution, and increased productivity.
Security teams benefit from improved visibility and controls over third-party code behavior, streamlined operations through relevant context, and proactive protection against emerging supply chain threats.

Why problems does listen.dev solve for?

listen.dev is a new take on application security. Unlike traditional approaches which entail developers reactively resolving a list of noisy alerts, listen.dev only surfaces the most critical issues through observability across the development lifecycle. Enriched with relevant context, prioritization and recommendations - listen.dev insights allow developers and security to take control of their third party dependencies and use open source with confidence.

How can I use listen.dev inside my workflows?

listen.dev can be integrated in:
  • Local and remote dev machines (through lstn CLI)
  • CI/CD pipelines (through lstn CLI and GitHub Action)
Check out our roadmap to see what we'll be supporting in the near future.

Supported languages and ecosystems

We currently support JavaScript, TypeScript and CoffeeScript through the npm package manager. Support for other OSS ecosystems and languages is on our roadmap. If you have any specific feature requests or use cases, we'd love to chat.

How it compares to existing dependency scanners?

Compared with traditional dependency scanners and SCA tools which flag for known vulnerabilities through traditional analysis techniques, listen.dev takes a unique behavioural profiling approach using techniques such as eBPF-powered runtime monitoring, LLMs and metadata analysis. This mix of cutting-edge analysis techniques allow for detection of novel threats such as malicious code, install-scripts, obfuscation, and zero-day vulnerabilities even before they become publicly disclosed in CVE databases.
See the FAQs for additional details and comparisons.

What kind of threats do you protect against?

The Supply Chain Levels for Software Artifacts (SLSA) model describes the different attack vectors involved in supply chain attacks. See our detection rules page to understand the threat coverage we provide.
© 2023 Garnet Labs