Skip to main content

Overview

The Exploitable Path feature (also known as Reachability Analysis) determines whether vulnerable SCA dependencies are actually imported and used in your codebase. Instead of treating every dependency vulnerability equally, CybeDefend pinpoints the ones that matter — the packages your code actually calls — so you can focus remediation where it counts.

Reachability Detection

Automatically identifies whether each dependency is used, unused, or potentially used in your code

Priority Adjustment

Boosts priority for used packages and lowers it for unused ones, so critical risks surface first

Auto-Ignore Unused

Optionally auto-ignores vulnerabilities in dependencies your code never imports

Import Locations

Shows exactly where in your code each dependency is imported, with file paths and line numbers

How It Works

During an SCA scan, CybeDefend analyzes your source code to detect import statements and matches them against detected dependencies. Each package receives a reachability status:
StatusMeaningImpact
UsedThe package is directly imported in your codePriority is promoted one level (e.g., normal → urgent)
UnusedNo import of this package was found in your codePriority is set to very low; optionally auto-ignored
Potentially UsedThe package may be used indirectly (e.g., via a framework plugin)No automatic priority change
For transitive dependencies (indirect dependencies pulled in by your direct dependencies), CybeDefend traces the dependency chain and propagates import locations from ancestor packages when available.

Import Location Tracking

When a package is marked as Used, CybeDefend records the exact locations where it is imported in your code. For each import, you can see:
  • File path — the relative path to the source file (e.g., src/utils/helpers.ts)
  • Line number — the exact line where the import occurs
  • Code snippet — the actual import statement content
This allows developers to quickly navigate to the relevant code and assess the actual exposure to the vulnerability.

Priority Adjustment

When reachability priority adjustment is enabled, CybeDefend automatically modifies vulnerability priorities based on package usage:
Original PriorityUsed PackageUnused Package
Very LowLowVery Low
LowNormalVery Low
NormalUrgentVery Low
UrgentCritical UrgentVery Low
Critical UrgentCritical UrgentVery Low
This means a Normal severity vulnerability in a package your code actually imports gets promoted to Urgent, while the same vulnerability in an unused dependency drops to Very Low — dramatically reducing noise in your vulnerability backlog.

Configuration

Exploitable Path analysis is controlled by two per-project settings, both enabled by default:

Reachability Priority Adjustment

When enabled, vulnerability priorities are automatically adjusted based on whether the affected package is used or unused in your code (see the priority table above).

Reachability Auto-Ignore

When enabled, vulnerabilities associated with unused packages are automatically set to Ignored status. This significantly reduces noise by hiding vulnerabilities that cannot be exploited since the dependency is never called.
1

Navigate to Project Settings

Open your project and go to the Settings section.
2

Find SCA Reachability Settings

Locate the Reachability Priority Adjustment and Reachability Auto-Ignore toggles.
3

Toggle as Needed

Enable or disable each setting independently based on your team’s workflow.
Disabling reachability auto-ignore will stop automatically ignoring vulnerabilities in unused packages for future scans. Previously ignored vulnerabilities will not be automatically restored.

Supported Ecosystems

Exploitable path analysis is available for all package ecosystems supported by CybeDefend’s SCA scanner, including:
  • npm (JavaScript/TypeScript)
  • pip / Poetry (Python)
  • Maven / Gradle (Java, Kotlin, Scala)
  • Go modules
  • NuGet (.NET)
  • Composer (PHP)
  • Cargo (Rust)
  • CocoaPods / Swift PM (iOS)
  • Pub (Dart/Flutter)
  • Hex (Elixir/Erlang)
  • Clojars (Clojure)
  • Conan (C/C++)
The accuracy of reachability detection varies by ecosystem. Ecosystems with explicit import statements (e.g., JavaScript import, Python import) provide the most precise results.

Best Practices

The default configuration (priority adjustment + auto-ignore) provides the best signal-to-noise ratio. Only disable these settings if your compliance requirements mandate reviewing all dependency vulnerabilities regardless of usage.
Packages marked as Potentially Used may still represent real risk. Review these manually, especially for critical and high severity vulnerabilities.
Use the Policy Management feature to create rules that account for reachability. For example, block builds only when a used package has a critical vulnerability.
When triaging a vulnerability, review the import locations to understand how the package is used. A package imported only in test files may carry less risk than one used in production code paths.
Related: License Compliance · Managing Vulnerabilities · Policy Management