Maybe some ideas here: httpss://www.owasp.org/index.php/Source_Code_Analysis_Tools<p>At work we use a commercial tool for static analysis. From what I have seen it is rather stupid, it produces a lot of false positive security issues about things like allocating memory (potential resource exhaustion vulnerability...)<p>You also probably want to pin versions of all dependencies, and store them in a repository that you control access to (a good idea for reproducibility, ignoring security).
There are open source tools for CVE checking, which is a good start, there are also commercial alternatives like Whitesource. CSP headers can help. So is only using packages that are actively updated.
What tools have you been using to scan NPM/Python/Ruby/Go packages for malicious dependencies? How do I know if one of the dependencies in my package is not going to steal my NPM credentials, for example?
If you are looking for something that helps you keep your OSS packages secure, then Snyk[0] is doing an excellent job at it.<p>[0] <a href="https://snyk.io" rel="nofollow">https://snyk.io</a>