Solutions
Know what your code depends on.
Your codebase doesn't just contain your code. It contains every package, every transitive dependency, every license obligation, and every unpatched vulnerability in the supply chain. Axiom Refract makes all of it visible.
Why supply chain visibility matters.
License Risk Is Legal Risk
A single GPL-licensed transitive dependency in a proprietary codebase can trigger compliance obligations your legal team didn't anticipate. Most teams don't audit past the first level of their dependency tree. The risk lives in the layers below.
Stale Packages Are Security Debt
A dependency that hasn't been updated in two years isn't “stable” — it's abandoned. Known vulnerabilities accumulate. Maintainers disappear. And your production system inherits every unpatched CVE in the chain.
You Don't Know What You Depend On
Your package.json has 40 dependencies. Your lock file has 1,200. Most teams can name the direct dependencies but have no visibility into the transitive tree — the packages their packages depend on. That's where supply chain attacks land.
What Axiom Refract tracks.
Package Inventory
Every direct and transitive dependency, across every language in your codebase. Python, JavaScript, TypeScript, Rust, Go, Java, Ruby — all resolved into a single, unified bill of materials.
License Classification
Each package's license is identified and classified by risk level. Permissive (MIT, Apache-2.0), copyleft (GPL, AGPL), weak copyleft (LGPL, MPL), and unknown/missing licenses are all flagged with appropriate severity.
Staleness Detection
Packages are evaluated against their published release history. Dependencies that haven't been updated in 12+ months are flagged as stale. Dependencies with no maintainer activity are flagged as potentially abandoned.
Zone-Filtered View
Filter the supply chain by architectural zone. See which packages belong to which part of your system. When a vulnerability is announced, know immediately which zones are affected and which teams need to respond.
SBOM is no longer optional.
Regulatory frameworks worldwide now require or strongly recommend software bills of materials. If you sell software to enterprises, governments, or regulated industries, SBOM capability is table stakes.
Executive Order 14028
U.S. federal SBOM requirement for software sold to government agencies.
EU Cyber Resilience Act
Mandatory SBOM for products with digital elements sold in the EU.
NTIA Minimum Elements
Baseline SBOM fields: supplier, component, version, dependency relationship, timestamp.
SOC 2 Type II
Supply chain risk is a control area. Auditors increasingly ask for dependency inventories.
PCI-DSS 4.0
Requirement 6.3 mandates identification and management of vulnerabilities in third-party components.
Query it. Automate it. Integrate it.
Supply chain data is available in the interactive web viewer, in JSON export, and via MCP for AI agent consumption. Filter by zone to scope audits to specific parts of your system. Use the API to integrate supply chain checks into your CI/CD pipeline.
When the next Log4j happens, you'll know in seconds whether you're affected — and exactly which zones need patching.
See every package your codebase depends on.
Upload your repository. Axiom Refract generates a complete software bill of materials — packages, licenses, staleness, risk classifications — across every language in your stack.