diff --git a/website/docs/comparison.md b/website/docs/comparison.md
index 135252e..66c05df 100644
--- a/website/docs/comparison.md
+++ b/website/docs/comparison.md
@@ -15,29 +15,31 @@ This page compares CVE Lite CLI against the tools developers most commonly consi
- [CVE Lite CLI vs OSV-Scanner](#cve-lite-cli-vs-osv-scanner)
- [CVE Lite CLI vs Snyk CLI](#cve-lite-cli-vs-snyk-cli)
- [CVE Lite CLI vs Socket CLI](#cve-lite-cli-vs-socket-cli)
+- [CVE Lite CLI vs OWASP DependencyCheck](#cve-lite-cli-vs-owasp-dependencycheck)
+- [CVE Lite CLI vs OWASP dep-scan](#cve-lite-cli-vs-owasp-dep-scan)
- [Best fit](#best-fit)
---
## Practical comparison
-| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
-|---|:---:|:---:|:---:|:---:|:---:|:---:|
-| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
-| npm + pnpm + Yarn support | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ |
-| Developer-time local scanning | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
-| No account or GitHub repo required | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ |
-| Works in any CI provider | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
-| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ |
-| Direct vs transitive visibility | ✅ | ⚠️ | ⚠️ | ✅ | ✅ | ✅ |
-| Validated copy-and-run fix commands | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ |
-| Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ | ⚠️ |
-| Fix version validation before suggesting | ✅ | ❌ | ❌ | ❌ | ⚠️ | ❌ |
-| Clear top-priority fix guidance | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ |
-| Suggested remediation plan | ✅ | ❌ | ❌ | ⚠️ | ✅ | ⚠️ |
-| JSON + SARIF output | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
-| Offline/local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ |
-| No automatic PR noise | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ |
+| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI | DependencyCheck | dep-scan |
+|---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
+| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| npm + pnpm + Yarn support | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Developer-time local scanning | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ |
+| No account or GitHub repo required | ✅ | ❌ | ✅ | ✅ | ❌ | ❌ | ✅ | ⚠️ |
+| Works in any CI provider | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
+| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ | ❌ | ✅ |
+| Direct vs transitive visibility | ✅ | ⚠️ | ⚠️ | ✅ | ✅ | ✅ | ⚠️ | ✅ |
+| Validated copy-and-run fix commands | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ | ❌ | ⚠️ |
+| Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ | ⚠️ | ❌ | ❌ |
+| Fix version validation before suggesting | ✅ | ❌ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ✅ |
+| Clear top-priority fix guidance | ✅ | ❌ | ❌ | ❌ | ✅ | ⚠️ | ⚠️ | ✅ |
+| Suggested remediation plan | ✅ | ❌ | ❌ | ⚠️ | ✅ | ⚠️ | ❌ | ⚠️ |
+| JSON + SARIF output | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ⚠️ | ⚠️ |
+| Offline/local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ✅ |
+| No automatic PR noise | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength
@@ -47,10 +49,10 @@ Transitive parent update guidance is one of CVE Lite CLI's core differentiators.
## Offline support
-| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |
-|---|:---:|:---:|:---:|:---:|:---:|:---:|
-| Local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ |
-| Zero runtime advisory API calls | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ |
+| Capability | CVE Lite CLI | Dependabot | npm audit | OSV-Scanner | Snyk CLI | Socket CLI | DependencyCheck | dep-scan |
+|---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
+| Local advisory DB workflow | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ⚠️ | ✅ |
+| Zero runtime advisory API calls | ✅ | ❌ | ❌ | ⚠️ | ❌ | ❌ | ❌ | ✅ |
✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength
@@ -407,6 +409,113 @@ vendor-neutral approach to vulnerability remediation.
---
+## CVE Lite CLI vs OWASP DependencyCheck
+
+[OWASP DependencyCheck](https://owasp.org/www-project-dependency-check/) is an OWASP Flagship project and one of the earliest SCA tools, started in 2012. It is a general-purpose scanner that supports Java, .NET, Node.js, Python, Ruby, Go, and more through a CPE-based analysis engine with ecosystem-specific analyzers.
+
+CVE Lite CLI and DependencyCheck represent different eras of SCA tool design. DependencyCheck identifies vulnerabilities by matching dependencies to CPE identifiers and cross-referencing them against the NVD database. CVE Lite CLI parses lockfiles directly and queries OSV for advisory data.
+
+### Why architecture matters for JS/TS scanning
+
+DependencyCheck relies on separate analyzers for each package ecosystem. For JavaScript, it delegates to the `npm audit`, `pnpm audit`, and `yarn audit` CLI commands — it does not parse lockfiles itself. This means:
+
+- **Requires the package manager CLI to be installed** on the scan machine. If `pnpm` or `yarn` is not present, the corresponding analyzer fails silently or is skipped.
+- **Requires internet access at scan time** for JS/TS projects. The Node Audit, PNPM Audit, and Yarn Audit analyzers all call `registry.npmjs.org` via the package manager CLI. Even if you mirror the NVD data locally, JS scanning still makes outbound calls.
+- **Results depend on npm audit's output model**, which counts every node in a dependency chain as a separate vulnerability — inflating counts on non-trivial projects.
+
+CVE Lite CLI parses the lockfile directly, works without any package manager installed, and never calls `registry.npmjs.org` during a scan.
+
+### No copy-and-run fix commands
+
+DependencyCheck produces reports (HTML, XML, JSON, CSV, JUnit) that list CVEs by dependency. It does not produce scoped install commands. Developers receive a list of vulnerable libraries and must manually determine the correct upgrade path — including which parent package to update for transitive dependencies.
+
+CVE Lite CLI consolidates multiple CVEs per package into a single finding and hands you the exact `npm install package@version` command, validated against OSV.
+
+### Where DependencyCheck has the edge
+
+- **Multi-ecosystem**: Comprehensive support for Java, .NET, Python, Ruby, Go, and more. CVE Lite is focused on JavaScript and TypeScript.
+- **OWASP Flagship status**: DependencyCheck is the highest-level OWASP project classification, with a longer track record and broader institutional adoption.
+- **Maven/Gradle/Ant integration**: Native plugins for Java build toolchains. CVE Lite is a standalone CLI.
+- **CPE-based identification**: Can identify vulnerabilities in compiled JARs and binaries where no lockfile or package manifest exists.
+- **NVD data mirroring**: Supports full local mirroring of NVD data for offline use — though JS analyzers still need the npm registry.
+
+### Where CVE Lite CLI goes further
+
+- **Lockfile-native parsing**: Reads `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock`, and `bun.lock` directly. No package manager CLI required.
+- **Validated copy-and-run fix commands**: One command per finding, validated against OSV before presentation.
+- **Transitive parent guidance**: Identifies the parent package that controls the vulnerable transitive dependency and tells you whether to run `npm update ` or `npm install @`.
+- **True offline for JS**: Sync advisory data once, scan offline indefinitely with zero outbound calls — including for JS/TS projects.
+- **Usage-aware reachability**: `--usage` tells you which vulnerable packages are actually imported in your source code.
+- **Root-cause finding counts**: One vulnerable package = one finding, not one per CVE per dependency tree node.
+
+### Recommended approach
+
+If your stack is primarily Java or .NET with some JavaScript, DependencyCheck is a proven choice that covers all ecosystems in one tool. If you are JavaScript or TypeScript-first and want actionable fix commands, clear transitive guidance, and genuine offline scanning, CVE Lite CLI is purpose-built for that workflow. The two tools can be run side by side — they use different data sources (NVD vs OSV) and different identification methods (CPE vs lockfile graph), so each may surface findings the other misses.
+
+---
+
+## CVE Lite CLI vs OWASP dep-scan
+
+[OWASP dep-scan](https://owasp.org/www-project-dep-scan/) is a next-generation security and risk audit tool donated to OWASP by AppThreat Ltd in 2023. It scans local repositories, container images, and Kubernetes manifests, generating CycloneDX SBOMs via cdxgen and checking packages against a local vulnerability database (VDB).
+
+Dep-scan and CVE Lite CLI share several design principles: both run locally without sending data to a cloud platform, both support offline scanning with a local advisory database, and both are fully open source under the MIT license. But they differ meaningfully in output model and scope.
+
+### Different output models
+
+Dep-scan produces CycloneDX Vulnerability Disclosure Report (VDR) JSON and optional CSAF 2.0 VEX documents. Its output is oriented toward ASPM and VM platform ingestion — structured SBOM data that feeds into broader security toolchains.
+
+CVE Lite CLI produces terminal output designed for a developer sitting at a command line: severity, direct vs transitive classification, the specific parent package to upgrade, and a copy-and-run install command.
+
+**dep-scan output — transitive finding:**
+```json
+"recommendation": "upgrade to 4.12.18"
+```
+
+**CVE Lite CLI output — same project:**
+```
+MEDIUM hono@4.12.9
+ Transitive dependency
+ Fix: upgrade to 4.12.18
+
+> npm install hono@4.12.18
+```
+
+### Fix suggestion approach
+
+Dep-scan's suggest mode (enabled by default) finds the optimal fix version by cross-referencing the advisory database. If version `4.12.18` fixes a CVE but version `4.12.16` has a different known vulnerability, suggest mode will skip `4.12.16` and recommend `4.12.18`. CVE Lite CLI performs the same kind of validation against OSV — but presents the result as a package-manager-specific command rather than a version number in a JSON report.
+
+### Where dep-scan has the edge
+
+- **Reachability analysis**: Dep-scan has advanced reachability analysis (FrameworkReachability and SemanticReachability) that computes data-flow call graphs for Java, JavaScript, TypeScript, and Python. CVE Lite's `--usage` is import-level only.
+- **Multi-ecosystem and container scanning**: Dep-scan scans container images, Kubernetes manifests, and OS packages alongside application dependencies.
+- **SBOM generation**: Generates CycloneDX SBOMs, VDR, and CSAF VEX documents as first-class output — useful for toolchain integration.
+- **Package risk audit**: Detects dependency confusion attacks, typosquatting risks, and maintenance risks via `--risk-audit`.
+- **License scanning**: Reports license compliance issues alongside vulnerability findings.
+- **Server mode**: Can run as a persistent server for integration with ASPM platforms.
+- **Custom vulnerability data**: Supports loading private CVEs and overriding false positives via local CVE 5.2 JSON/YAML files.
+
+### Where CVE Lite CLI goes further
+
+- **Transitive parent update guidance**: Dep-scan reports the vulnerable package and suggests a fix version; it does not identify the parent package that controls the transitive dependency or tell you what command to run.
+- **Copy-and-run fix commands**: CVE Lite outputs scoped `npm install`, `npm update`, or package-manager-specific commands. Dep-scan outputs a version recommendation in VDR JSON that requires interpretation.
+- **Package-manager-native commands**: For npm lockfiles, CVE Lite distinguishes between `npm update ` (when the current range can absorb a safe version) and `npm install @` (when the range must change).
+- **Zero-config for JS/TS**: Install via npm, point at a lockfile, get results. Dep-scan requires Python, cdxgen, and VDB setup.
+- **SARIF output**: CVE Lite supports SARIF for GitHub Code Scanning integration.
+
+### Why finding counts may differ
+
+Dep-scan checks packages against its VDB (which aggregates NVD, OSV, GitHub, and NPM advisories). CVE Lite checks against OSV. This means:
+
+- A vulnerability indexed in NVD but not yet in OSV will appear in dep-scan but not in CVE Lite.
+- OSV-specific advisories (e.g., from OSS-Fuzz) will appear in CVE Lite but may not be in dep-scan's VDB until its next sync.
+- Dep-scan groups findings by CVE within each package; CVE Lite groups all CVEs for a package into one finding.
+
+### Recommended approach
+
+Use dep-scan when you need broad multi-ecosystem coverage with advanced reachability analysis, SBOM generation, and ASPM platform integration. Use CVE Lite CLI when you want fast, actionable terminal output for JavaScript and TypeScript dependency scanning with clear fix commands and parent-aware transitive guidance. The two tools share an offline-first philosophy and complement each other well in a layered security workflow.
+
+---
+
## Best fit
CVE Lite CLI is the only free, OWASP-recognized vulnerability scanner for JavaScript and TypeScript that delivers validated fix commands and parent-aware transitive remediation — without requiring an account, a cloud platform, or internet access at scan time.