7000pctAUTO
79d9f7c5dd
Some checks failed
CI / test (push) Has been cancelled
- Remove unused imports across all modules - Remove unused variables (names, color, output, original_line, extras) - Fix regex syntax errors in parser files - Remove unused Dependency imports from parsers
DepAudit CLI
A comprehensive CLI tool that audits project dependencies across multiple languages for security vulnerabilities, outdated packages, license compliance issues, and unused dependencies.
Features
- Multi-language support: JavaScript/Node.js, Python, Go, Rust, Java/Maven
- Security vulnerability scanning: Query OSV and NVD databases for CVEs
- Outdated package detection: Check for newer versions on package registries
- License compliance checking: Validate against allowlist/blocklist
- Unused dependency detection: Find dependencies that aren't imported
- Multiple output formats: Table (with colors), JSON, or quiet mode
- CI/CD integration: Generate GitHub Actions and GitLab CI configurations
Installation
From PyPI
pip install depaudit-cli
From Source
git clone https://github.com/depaudit/depaudit-cli
cd depaudit-cli
pip install -e .
Using pipx
pipx install depaudit-cli
Quick Start
Audit the current directory:
depaudit audit .
Audit a specific project:
depaudit audit /path/to/project
Output as JSON:
depaudit audit . --format json --output results.json
Skip specific checks:
depaudit audit . --skip-vulnerabilities --skip-licenses
Filter by severity:
depaudit audit . --severity high
Supported Languages
| Language | Dependency Files |
|---|---|
| JavaScript/Node.js | package.json, package-lock.json, yarn.lock |
| Python | requirements.txt, setup.py, pyproject.toml, Pipfile |
| Go | go.mod |
| Rust | Cargo.toml, Cargo.lock |
| Java/Maven | pom.xml, build.gradle |
Usage
Command Options
| Option | Description |
|---|---|
--format |
Output format: table, json, or quiet |
--output |
Write output to file |
--no-color |
Disable colored output |
--no-cache |
Disable API response caching |
--severity |
Minimum severity: critical, high, medium, low, all |
--skip-vulnerabilities |
Skip CVE vulnerability scanning |
--skip-outdated |
Skip outdated package checking |
--skip-licenses |
Skip license compliance checking |
--skip-unused |
Skip unused dependency detection |
--verbose |
Enable verbose output |
CI/CD Generation
Generate GitHub Actions workflow:
depaudit generate-cicd github --schedule "0 0 * * 0"
Generate GitLab CI configuration:
depaudit generate-cicd gitlab
Configuration
Create a .depauditrc file in your project root:
output:
format: table
color: true
verbosity: info
vulnerabilities:
enabled: true
severity_filter: all
api: osv
cache_ttl: 86400
licenses:
enabled: true
allowlist:
- MIT
- Apache-2.0
- BSD-3-Clause
blocklist:
- GPL-3.0
- AGPL-3.0
cicd:
fail_on:
- critical
- high
Output Formats
Table Output
============================================================
DepAudit Report
============================================================
Scanned Files: 5
Scan Duration: 2.45s
[VULNERABILITIES]
+-----------+-------------------------+---------+--------+--------+
| Severity | Package | Current | Fixed | ID |
+-----------+-------------------------+---------+--------+--------+
| CRITICAL | lodash | 4.17.15 | 4.17.21| CVE... |
+-----------+-------------------------+---------+--------+--------+
[OUTDATED PACKAGES]
+----------------------------+---------+---------+------------+
| Package | Current | Latest | Update Type|
+----------------------------+---------+---------+------------+
| express | 4.17.1 | 4.18.2 | minor |
+----------------------------+---------+---------+------------+
SEVERITY SUMMARY:
CRITICAL: 1
HIGH: 0
MEDIUM: 2
LOW: 1
============================================================
JSON Output
{
"vulnerabilities": [...],
"outdated": [...],
"license_issues": [...],
"unused": [...],
"scanned_files": [...],
"scanned_count": 5,
"error_count": 0,
"scan_duration": 2.45,
"summary": {
"total_vulnerabilities": 4,
"severity_breakdown": {
"critical": 1,
"high": 0,
"medium": 2,
"low": 1
},
"total_outdated": 3,
"total_license_issues": 1,
"total_unused": 2
}
}
CI/CD Integration
GitHub Actions
Generate a workflow file:
depaudit generate-cicd github
This creates .github/workflows/depaudit.yml with:
- Scheduled scans (weekly by default)
- Scan on push to main
- Scan on PR creation
- Results uploaded as artifacts
- Comment on PR with summary
GitLab CI
Generate a .gitlab-ci.yml section:
depaudit generate-cicd gitlab
Environment Variables
| Variable | Description |
|---|---|
DEPAUDIT_API_KEY |
API key for premium vulnerability databases |
DEPAUDIT_CACHE_DIR |
Custom cache directory |
DEPAUDIT_CONFIG_FILE |
Path to configuration file |
HTTP_PROXY |
HTTP proxy for API requests |
HTTPS_PROXY |
HTTPS proxy for API requests |
Exit Codes
| Code | Description |
|---|---|
| 0 | No issues found or scan completed successfully |
| 1 | Issues found (configurable via cicd.fail_on) |
| 2 | Error during scan |
Development
Setup
git clone https://github.com/depaudit/depaudit-cli
cd depaudit-cli
pip install -e ".[dev]"
Running Tests
pytest tests/ -v --cov=depaudit
Linting
black depaudit tests
ruff check depaudit tests
mypy depaudit
Contributing
- Fork the repository
- Create a feature branch
- Make your changes
- Add tests for new functionality
- Run the test suite
- Submit a pull request
License
MIT License - see LICENSE for details.