Phylum
Software supply chain security solutions
Secure code review software
Software composition analysis tools
DevSecOps software
Software bill of materials (SBOM) software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Phylum and its alternatives fit your requirements.
Contact the product provider
Free Trial unavailableFree version unavailable
Small
Medium
Large
- Healthcare and life sciences
- Retail and wholesale
- Professional services (engineering, legal, consulting, etc.)
What is Phylum
Phylum is a software supply chain security platform focused on detecting and blocking malicious or risky open-source packages before they enter an organization’s codebase. It is used by security and engineering teams to scan dependencies during development and in CI/CD, with policy controls to gate builds and pull requests. The product emphasizes package risk signals beyond known CVEs, such as indicators of malicious behavior, typosquatting, and suspicious maintainer or release activity. It also supports generating and working with SBOM-related dependency inventory as part of supply chain governance workflows.
Malicious package detection focus
Phylum is designed to identify malicious open-source packages and suspicious package behavior, not only known vulnerabilities. This helps teams address threats like typosquatting, dependency confusion patterns, and suspicious release or maintainer activity that traditional vulnerability-only scanning can miss. It fits organizations that want explicit controls to prevent risky packages from being introduced into builds.
CI/CD and developer workflow gating
Phylum integrates into common developer workflows to scan dependencies during pull requests and CI builds. Policy-based controls allow teams to fail builds or block merges when packages violate defined risk thresholds. This supports DevSecOps practices by shifting supply chain checks earlier and making enforcement consistent across repositories.
Policy and risk governance controls
The platform provides configurable policies to standardize what is acceptable across teams and projects. This supports centralized governance for dependency usage, including allow/deny decisions and risk-based exceptions. It is useful for organizations that need repeatable controls across multiple repositories and engineering groups.
Not a full AppSec suite
Phylum primarily targets open-source dependency and package risk, rather than covering the full breadth of application security testing. Organizations may still need separate tools for areas such as deep static analysis, runtime protection, or API security. Buyers looking for a single consolidated platform across all AppSec domains may need additional products.
Signal transparency varies by finding
Risk scoring and maliciousness determinations can depend on proprietary signals and heuristics. In some cases, teams may need additional context to understand why a package is flagged and how to remediate without disrupting development. This can increase triage effort, especially when policies are strict and block builds.
SBOM depth depends on workflow
While Phylum supports dependency inventory and SBOM-related use cases, SBOM completeness and formats can vary based on how projects build and which ecosystems are scanned. Organizations with strict SBOM compliance requirements may need to validate supported standards, export formats, and coverage across languages and build systems. Some teams may still rely on dedicated SBOM tooling for advanced compliance workflows.
Plan & Pricing
No public pricing or plan tiers listed on Phylum's official documentation or main site. Phylum documentation and site direct users to contact the Veracode sales team for account creation and pricing; the Phylum free Community edition was sunset on 24 February 2025.
Seller details
Phylum, Inc.
Everett, Washington, United States
2020
Private
https://www.phylum.io/
https://x.com/phylum_io
https://www.linkedin.com/company/phylum-io/
