LunaTrace: Self-Hosted Dependency Scanning That Learned from Log4Shell

Hook

The team that broke the Log4Shell story built their own dependency scanner. Their experience responding to one of the worst vulnerabilities in history shaped how they think about supply chain security—and it shows.

Context

Supply chain attacks have become the asymmetric weapon of choice for attackers. When you install a package, you’re trusting not just that code, but every transitive dependency it pulls in. Tools like GitHub’s Dependabot and Snyk emerged to address this, but they’re either closed-source SaaS offerings or tightly coupled to specific platforms. LunaTrace was born from the LunaSec team’s firsthand experience with Log4Shell—they were the security researchers who broke the news and named the vulnerability. That crucible moment revealed gaps in existing tooling: teams needed faster notification cycles and better visibility into their dependency trees. Rather than build yet another proprietary scanner, they open-sourced their solution under a Creative Commons Attribution-ShareAlike 4.0 license, creating a free alternative to services like GitHub Dependabot and Snyk. The project is available both as a SaaS offering and for self-hosted deployment. It’s positioned as supply chain security for teams who want transparency in their security tooling—not just trust in a vendor’s black box.

Technical Insight

LunaTrace operates as a TypeScript monorepo with a web console at its core. The architecture follows a familiar pattern: a GitHub marketplace app that hooks into pull requests and builds, scanning your dependency tree and cross-referencing it against vulnerability databases. The system is structured for both SaaS and self-hosted deployment. The web console appears to provide a centralized view of projects and their dependencies. Integration happens through the GitHub App, which you can install with one click from the marketplace. Once connected, LunaTrace automatically integrates with GitHub Pull Requests to notify you of new CVEs before you deploy to production.

The repository also contains their Log4Shell CLI tool, a command line utility for scanning for Log4Shell vulnerabilities. While the Log4Shell tool is noted as being superseded by LunaTrace’s broader capabilities, it reveals their philosophy: ship working tools fast, then build comprehensive platforms around proven concepts.

The monorepo structure uses Lerna for versioning across packages, with a multi-stage CI/CD pipeline that handles version bumping, artifact compilation for both TypeScript and Go components, publishing to NPM and DockerHub, and git tagging. The README explicitly documents this release process, showing a team that’s thought through operational concerns beyond just feature development. Their deployment model supports both their SaaS offering at lunatrace.lunasec.io and self-hosted installations.

Gotcha

The Creative Commons Attribution-ShareAlike 4.0 license is unusual for developer tooling and has implications you should understand before adopting LunaTrace. Unlike permissive licenses (MIT, Apache 2.0) or even copyleft licenses designed for software (GPL, AGPL), CC-BY-SA is primarily intended for creative works. The ShareAlike clause means derivative works must use the same license, which could complicate commercial integrations or modifications. If you’re planning to fork and extend LunaTrace as part of a proprietary security product, you’ll need legal review.

The repository contains unmaintained components, specifically LunaDefend—their tokenization-based security suite that targeted SOC2, GDPR, and PCI-DSS compliance. While LunaTrace itself is under active development, the presence of deprecated tooling in the monorepo suggests either resource constraints or strategic pivots. With a small team and 1,468 GitHub stars, LunaTrace lacks the community momentum of established alternatives. This matters for long-term sustainability: fewer contributors means slower feature development, potentially longer security patch cycles, and higher risk of the project stalling if the core team shifts focus. The documentation acknowledges LunaTrace is ‘under active development,’ which is transparency about maturity, but also a warning that APIs and features may still be evolving. The README does not specify which language ecosystems are supported, so you’ll want to verify your stack is fully covered before committing to LunaTrace as your primary scanner.

Verdict

Use LunaTrace if you need a free, open-source alternative to Dependabot or Snyk with GitHub PR integration, especially if you want the option to self-host your security scanning infrastructure. It’s ideal for teams who want transparency in their security tooling and the ability to audit the scanner’s source code themselves. The SaaS option provides a frictionless onboarding path to test the platform before committing to self-hosting. Skip it if you need battle-tested stability, verified language ecosystem coverage, or enterprise support contracts. The small community and unmaintained components in the monorepo raise sustainability questions for mission-critical deployments. Also reconsider if the CC-BY-SA license creates complications for your use case—consult legal counsel if you’re planning commercial derivatives. For teams already heavily invested in GitHub’s ecosystem who just need basic vulnerability scanning, Dependabot’s native integration may be the path of least resistance.