Dependency Scanners Don't Validate Runtime Reality

OWASP Dependency Check is excellent at finding vulnerable dependencies. But it cannot validate runtime truth—whether your code actually uses real services or fake fallbacks.

What dependency scanners catch

• Vulnerable dependencies
• Outdated packages
• Known CVEs
• License compliance issues
• Malicious packages

What dependency scanners miss

• Mock data serving real users
• Fallback clients returning fabricated responses
• Missing env vars triggering stubs
• Placeholder API endpoints in production
• Fake database connections

The gap

Dependency scanners validate what you depend on. Runtime truth validates how your code behaves. A dependency can be perfectly secure, but if your code falls back to a fake client when config is missing, production still serves fake data.

The solution: Add a reality gate

Complement dependency scanning with a deploy gate that validates:

• Runtime service wiring
• Endpoint contract enforcement
• Auth coverage verification
• Mock/stub detection

Practical example

# OWASP dependency check (existing) dependency-check --scan ./src # Add reality gate (new) npx guardrail mockproof npx guardrail gate

Result

Dependency scanners protect against vulnerable packages. The reality gate protects against fake behavior. Together they secure both dependencies and runtime.

Some teams use guardrail to detect this automatically in CI.