One web app that brings every product together

A continuously-built corpus of supply-chain facts: hundreds of thousands of packages, advisories, IOCs, and documented attacks, enriched and connected into a graph. It is also a research engine: it mines public writeups and advisories to connect the dots across seemingly-separate packages (same IOCs, same campaign, same actor) and surface threats early.

A detection harness that scans a package and finds both known issues (matched against authoritative advisory data) and novel ones (malicious behaviour, install-time tricks, dangerous code paths) that no feed has listed yet. The same engine runs in the CLI.

A registry firewall that proxies npm, PyPI, and Maven: developers and CI pull vetted artifacts instead of reaching upstream directly. Known-bad never makes it in, and unknowns are quarantined until they clear.

A decision layer that turns raw findings into verdicts that fit your policy and your context, using reachability so you act on what is actually exploitable, not everything that is merely present. Decisioning and policy are the platform's own layer.

When something needs doing, Verifi does it: open a fix PR (pulled from CodeFix), block at the proxy, alert the right channel, or run a full incident-response workflow when a bad package is already in your estate.