LunaTrace: The Open-Source Dependency Scanner Born from Log4Shell

Hook

The team that discovered and named Log4Shell didn't just find a vulnerability—they built an entire dependency scanning platform to prevent the next one. Their scanner is now open-source and free.

Context

In December 2021, the cybersecurity world erupted when Log4Shell was discovered—a zero-day vulnerability in Log4j that affected hundreds of millions of applications. The LunaSec team not only discovered and named this critical vulnerability, but they also shipped a CLI scanner within hours that helped thousands of companies identify their exposure. That crisis revealed a fundamental problem: most development teams lacked real-time visibility into their dependency vulnerabilities, and the commercial solutions that existed were either expensive, slow, or locked into proprietary ecosystems.

LunaTrace emerged from this experience as an open-source alternative to tools like Snyk and GitHub Dependabot. Rather than positioning themselves as just another security vendor, the LunaSec team built their credibility through action—discovering critical vulnerabilities and shipping free tools to help developers protect themselves. LunaTrace is their evolution from emergency response tool to comprehensive supply chain security platform, offering dependency scanning, SBOM generation, and GitHub pull request integration. It's built for teams who want transparency in their security tooling and don't want to pay enterprise prices for vulnerability notifications.

Technical Insight

LunaTrace is architected as a TypeScript-based monorepo managed with Lerna, with strategic Go components for performance-critical operations. The system operates in two modes: a free SaaS offering via the GitHub App marketplace, or a self-hosted deployment for teams with strict data residency requirements. At its core, the architecture follows a multi-stage pipeline pattern where dependency graphs are parsed, vulnerabilities are matched against continuously updated databases, and results are surfaced directly in GitHub pull requests before code reaches production.

The GitHub App integration is where LunaTrace differentiates itself from traditional CLI-based scanners. When you install the app, it automatically creates webhooks for pull request events and push events to your default branch. Here's what a basic integration looks like after installation:

// LunaTrace automatically scans these dependency manifests
// No configuration required in your CI/CD pipeline

// package.json - Node.js projects
{
  "dependencies": {
    "log4js": "^6.3.0",  // LunaTrace scans this
    "express": "^4.18.0"
  }
}

// When a PR is opened, LunaTrace comments with findings:
// "🔴 Critical vulnerability found: log4js has a known RCE
//  CVE-2022-21704 | CVSS 9.8
//  Recommendation: Upgrade to log4js@^6.4.0"

The real power comes from how LunaTrace handles the SBOM generation process. Unlike simpler scanners that just parse lock files, LunaTrace builds a complete dependency graph including transitive dependencies, which is critical for catching vulnerabilities buried deep in your stack. The system generates CycloneDX-format SBOMs, making it interoperable with other compliance and security tools your organization might use. This is particularly valuable for teams pursuing SOC2, PCI-DSS, or other compliance frameworks that now require software composition analysis.

For teams that need more control, the CLI tool offers programmatic access to the same scanning engine:

# Scan a project and output SBOM
npx @lunasec/cli scan --output sbom.json

# Fail builds on critical vulnerabilities
npx @lunasec/cli scan --severity critical --fail-on-found

# Compare dependencies between commits
npx @lunasec/cli diff main..feature-branch

The monorepo structure reveals sophisticated architectural decisions. The codebase separates concerns cleanly: the CLI tools live in their own packages, the web console is a standalone Next.js application, and shared vulnerability database logic is abstracted into reusable modules. This allows the team to ship updates to the GitHub App integration without redeploying CLI tools, and vice versa. The use of TypeScript across the stack—even for traditionally Go-dominated territory like CLI tools—demonstrates a pragmatic choice to maximize team velocity over marginal performance gains.

One particularly clever design pattern is how LunaTrace handles vulnerability database updates. Rather than requiring users to manually update their scanner or wait for new releases, the system queries a continuously updated API endpoint. This means the moment a new CVE is published, all LunaTrace instances—whether SaaS or self-hosted—can detect it. For the self-hosted deployment, this is configurable for air-gapped environments, where teams can point to their own vulnerability database mirror.

The Log4Shell scanner component, while now largely historical, showcases how the team prioritizes speed-to-market during security crises. It's a focused, single-purpose tool that recursively searches directories for vulnerable Log4j versions, including nested JARs and shaded dependencies. This scanner gained traction because it was free, open-source, and auditable during a moment when trust was critical. That same philosophy permeates LunaTrace—security tools should be transparent, not black boxes.

Gotcha

The most significant limitation is explicitly documented in the repository: LunaDefend, the data tokenization and security component, is unmaintained. The README clearly states that the team has narrowed their focus to LunaTrace, meaning roughly a third of the advertised feature set (tokenization, zero-trust architecture for data protection, GDPR compliance tooling) is deprecated. If you came to this repository expecting a complete data security platform, you'll be disappointed. The team deserves credit for transparency, but it does raise questions about long-term commitment and feature stability across the platform.

The self-hosted deployment path is under-documented compared to the GitHub App installation. While the SaaS offering is genuinely a 30-second install, self-hosting requires navigating a complex TypeScript monorepo with multiple services, databases, and configuration requirements that aren't fully outlined in the main README. For teams with strict data residency requirements or those who can't use GitHub Apps due to enterprise policies, this creates a significant friction point. You'll need to dive into Docker Compose files and internal documentation to piece together a production deployment. Additionally, the small team size means community support might be limited compared to more established projects like OWASP Dependency-Check or Trivy, which have larger contributor bases and more extensive documentation ecosystems.

Verdict

Use LunaTrace if you're a GitHub-centric team that wants free, transparent dependency scanning without vendor lock-in to commercial tools, or if you specifically trust the team's security expertise from their Log4Shell discovery. It's particularly compelling for startups and open-source projects that need compliance-ready SBOMs without budget for Snyk or Sonatype. The GitHub App integration makes it genuinely frictionless for standard workflows. Skip it if you need enterprise support guarantees, multi-platform repository hosting (GitLab, Bitbucket), or active development on data tokenization features from LunaDefend. Also avoid if you require self-hosted deployment but lack the engineering resources to configure complex TypeScript services—the SaaS offering is where this tool shines. For teams already invested in GitHub's ecosystem and comfortable with a smaller, focused team behind their security tooling, LunaTrace offers genuine value without the commercial tool bloat.