7000pctAUTO/depaudit-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
43 Commits 1 Branch 1 Tag
ea08d50b30cc03058cb4d68f771498d25a2dca0e
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

DepAudit CLI

A comprehensive CLI tool that audits project dependencies across multiple languages for security vulnerabilities, outdated packages, license compliance issues, and unused dependencies.

Features

  • Multi-language support: JavaScript/Node.js, Python, Go, Rust, Java/Maven
  • Security vulnerability scanning: Query OSV and NVD databases for CVEs
  • Outdated package detection: Check for newer versions on package registries
  • License compliance checking: Validate against allowlist/blocklist
  • Unused dependency detection: Find dependencies that aren't imported
  • Multiple output formats: Table (with colors), JSON, or quiet mode
  • CI/CD integration: Generate GitHub Actions and GitLab CI configurations

Installation

From PyPI

pip install depaudit-cli

From Source

git clone https://github.com/depaudit/depaudit-cli
cd depaudit-cli
pip install -e .

Using pipx

pipx install depaudit-cli

Quick Start

Audit the current directory:

depaudit audit .

Audit a specific project:

depaudit audit /path/to/project

Output as JSON:

depaudit audit . --format json --output results.json

Skip specific checks:

depaudit audit . --skip-vulnerabilities --skip-licenses

Filter by severity:

depaudit audit . --severity high

Supported Languages

Language Dependency Files
JavaScript/Node.js package.json, package-lock.json, yarn.lock
Python requirements.txt, setup.py, pyproject.toml, Pipfile
Go go.mod
Rust Cargo.toml, Cargo.lock
Java/Maven pom.xml, build.gradle

Usage

Command Options

Option Description
--format Output format: table, json, or quiet
--output Write output to file
--no-color Disable colored output
--no-cache Disable API response caching
--severity Minimum severity: critical, high, medium, low, all
--skip-vulnerabilities Skip CVE vulnerability scanning
--skip-outdated Skip outdated package checking
--skip-licenses Skip license compliance checking
--skip-unused Skip unused dependency detection
--verbose Enable verbose output

CI/CD Generation

Generate GitHub Actions workflow:

depaudit generate-cicd github --schedule "0 0 * * 0"

Generate GitLab CI configuration:

depaudit generate-cicd gitlab

Configuration

Create a .depauditrc file in your project root:

output:
  format: table
  color: true
  verbosity: info

vulnerabilities:
  enabled: true
  severity_filter: all
  api: osv
  cache_ttl: 86400

licenses:
  enabled: true
  allowlist:
    - MIT
    - Apache-2.0
    - BSD-3-Clause
  blocklist:
    - GPL-3.0
    - AGPL-3.0

cicd:
  fail_on:
    - critical
    - high

Output Formats

Table Output

============================================================
DepAudit Report
============================================================
Scanned Files: 5
Scan Duration: 2.45s

[VULNERABILITIES]
+-----------+-------------------------+---------+--------+--------+
| Severity  | Package                 | Current | Fixed  | ID     |
+-----------+-------------------------+---------+--------+--------+
| CRITICAL  | lodash                  | 4.17.15 | 4.17.21| CVE... |
+-----------+-------------------------+---------+--------+--------+

[OUTDATED PACKAGES]
+----------------------------+---------+---------+------------+
| Package                    | Current | Latest  | Update Type|
+----------------------------+---------+---------+------------+
| express                    | 4.17.1  | 4.18.2  | minor      |
+----------------------------+---------+---------+------------+

SEVERITY SUMMARY:
  CRITICAL: 1
  HIGH: 0
  MEDIUM: 2
  LOW: 1
============================================================

JSON Output

{
  "vulnerabilities": [...],
  "outdated": [...],
  "license_issues": [...],
  "unused": [...],
  "scanned_files": [...],
  "scanned_count": 5,
  "error_count": 0,
  "scan_duration": 2.45,
  "summary": {
    "total_vulnerabilities": 4,
    "severity_breakdown": {
      "critical": 1,
      "high": 0,
      "medium": 2,
      "low": 1
    },
    "total_outdated": 3,
    "total_license_issues": 1,
    "total_unused": 2
  }
}

CI/CD Integration

GitHub Actions

Generate a workflow file:

depaudit generate-cicd github

This creates .github/workflows/depaudit.yml with:

  • Scheduled scans (weekly by default)
  • Scan on push to main
  • Scan on PR creation
  • Results uploaded as artifacts
  • Comment on PR with summary

GitLab CI

Generate a .gitlab-ci.yml section:

depaudit generate-cicd gitlab

Environment Variables

Variable Description
DEPAUDIT_API_KEY API key for premium vulnerability databases
DEPAUDIT_CACHE_DIR Custom cache directory
DEPAUDIT_CONFIG_FILE Path to configuration file
HTTP_PROXY HTTP proxy for API requests
HTTPS_PROXY HTTPS proxy for API requests

Exit Codes

Code Description
0 No issues found or scan completed successfully
1 Issues found (configurable via cicd.fail_on)
2 Error during scan

Development

Setup

git clone https://github.com/depaudit/depaudit-cli
cd depaudit-cli
pip install -e ".[dev]"

Running Tests

pytest tests/ -v --cov=depaudit

Linting

black depaudit tests
ruff check depaudit tests
mypy depaudit

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests for new functionality
  5. Run the test suite
  6. Submit a pull request

License

MIT License - see LICENSE for details.

Reference in New Issue View Git Blame Copy Permalink
Description
A comprehensive CLI tool that audits project dependencies for security vulnerabilities, outdated packages, license compliance, and unused dependencies.
Readme MIT 157 KiB
Releases 1
v1.0.0 Latest
2026-02-02 21:38:06 +00:00
Languages
Python 100%