Dependency auditing CLI — vulnerability scanning, license compliance, outdated detection, and dependency tree visualization.
Project description
dep-audit-cli
Comprehensive dependency auditing CLI for vulnerability scanning, license compliance, outdated detection, and dependency tree visualization.
Features
- Vulnerability Scanning — Query OSV.dev API for known CVEs across 6+ ecosystems
- License Compliance — Check dependencies against configurable license policies (strict/moderate/permissive)
- Outdated Detection — Find packages with newer versions on PyPI/npm registries
- Dependency Tree — Visualize project dependency hierarchy with Rich tree rendering
- Multi-Ecosystem — Python, Node.js, Go, Rust, Ruby support out of the box
- Security Scoring — 0–100 health score with letter grades (A+ through F)
- Multiple Output Formats — Rich terminal tables or structured JSON
- CI/CD Ready — Exit codes for pipeline integration,
--strictmode for zero-tolerance
Installation
pip install dep-audit-cli
Quick Start
# Full audit (vulns + outdated + licenses)
dep-audit audit .
# Vulnerability scan only
dep-audit scan .
# Check license compliance
dep-audit licenses . --policy strict
# Find outdated packages
dep-audit outdated .
# Show dependency tree
dep-audit tree .
# List all dependencies
dep-audit list .
# Project summary
dep-audit info .
Commands
dep-audit audit
Run a comprehensive dependency audit combining vulnerability scanning, outdated detection, and license compliance.
dep-audit audit [PATH] [OPTIONS]
Options:
--no-vuln Skip vulnerability scanning
--no-outdated Skip outdated check
--no-license Skip license compliance check
--policy TEXT License policy: strict, moderate, permissive (default: moderate)
--json-output Output as JSON
--strict Exit with code 1 on any finding
Example:
$ dep-audit audit ./my-project --policy strict
╭─── Dependency Audit Report ──────────────────────────────────╮
│ │
│ Project: ./my-project │
│ Ecosystem: Python │
│ Grade: A (92/100) │
│ │
│ Dependencies: 24 total (18 direct, 6 dev) │
│ Vulnerabilities: 1 (0 critical, 1 high) │
│ Outdated: 3 packages │
│ License Issues: 0 │
│ │
╰───────────────────────────────────────────────────────────────╯
dep-audit scan
Scan dependencies for known vulnerabilities using the OSV.dev database.
dep-audit scan [PATH] [OPTIONS]
Options:
--json-output Output as JSON
--strict Exit with code 1 on any vulnerability
Example:
$ dep-audit scan .
Vulnerability Scan Results
┌──────────────┬─────────┬──────────┬────────────────────────────────────┐
│ Package │ Version │ Severity │ Advisory │
├──────────────┼─────────┼──────────┼────────────────────────────────────┤
│ requests │ 2.25.0 │ 🔴 HIGH │ GHSA-j8r2-6x86-q33q │
│ urllib3 │ 1.26.5 │ 🟡 MED │ PYSEC-2023-212 │
└──────────────┴─────────┴──────────┴────────────────────────────────────┘
dep-audit licenses
Check dependency licenses against compliance policies.
dep-audit licenses [PATH] [OPTIONS]
Options:
--policy TEXT License policy: strict, moderate, permissive
--summary Show license distribution summary
--json-output Output as JSON
Policies:
| Policy | Allowed | Flagged |
|---|---|---|
| strict | MIT, BSD, Apache-2.0 | LGPL, MPL, GPL, AGPL |
| moderate | MIT, BSD, Apache-2.0, LGPL, MPL | GPL, AGPL |
| permissive | MIT, BSD, Apache, LGPL, MPL, GPL | AGPL |
dep-audit outdated
Find dependencies with newer versions available.
dep-audit outdated [PATH] [OPTIONS]
Options:
--json-output Output as JSON
Example:
$ dep-audit outdated .
Outdated Dependencies
┌──────────────┬──────────┬──────────┬────────┐
│ Package │ Current │ Latest │ Update │
├──────────────┼──────────┼──────────┼────────┤
│ click │ 8.0.0 │ 8.1.7 │ minor │
│ rich │ 12.0.0 │ 13.7.1 │ major │
│ requests │ 2.28.0 │ 2.31.0 │ minor │
└──────────────┴──────────┴──────────┴────────┘
dep-audit tree
Visualize the dependency tree hierarchy.
dep-audit tree [PATH]
Example:
$ dep-audit tree .
📦 my-project
├── 📦 Direct Dependencies
│ ├── click >= 8.0
│ ├── rich >= 13.0
│ └── requests >= 2.28
└── 📦 Dev Dependencies [dev]
├── pytest >= 7.0
└── ruff >= 0.1.0
dep-audit list
List all project dependencies with metadata.
dep-audit list [PATH] [OPTIONS]
Options:
--dev Include dev dependencies
--json-output Output as JSON
dep-audit info
Display project summary information.
dep-audit info [PATH]
Supported Ecosystems
| Ecosystem | Manifest Files |
|---|---|
| Python | requirements.txt, requirements-dev.txt, requirements_dev.txt, pyproject.toml, setup.cfg, Pipfile |
| Node.js | package.json |
| Go | go.mod |
| Rust | Cargo.toml |
| Ruby | Gemfile |
JSON Output
All commands support --json-output for CI/CD integration:
dep-audit audit . --json-output > audit-report.json
{
"project_path": ".",
"ecosystem": "Python",
"total_dependencies": 24,
"vulnerabilities": [...],
"outdated": [...],
"license_issues": [...],
"health_score": 92,
"grade": "A"
}
CI/CD Integration
GitHub Actions
- name: Dependency Audit
run: |
pip install dep-audit-cli
dep-audit audit . --strict
GitLab CI
dependency-audit:
script:
- pip install dep-audit-cli
- dep-audit audit . --strict --json-output > audit.json
artifacts:
reports:
dependency_scanning: audit.json
Pre-commit Hook
repos:
- repo: local
hooks:
- id: dep-audit
name: Dependency Audit
entry: dep-audit audit . --strict --no-outdated
language: system
pass_filenames: false
Exit Codes
| Code | Meaning |
|---|---|
0 |
No issues found (or non-strict mode) |
1 |
Issues found (strict mode) or fatal error |
Health Scoring
The health score (0–100) is calculated from:
-
Security Score: Based on vulnerability count and severity
- Critical: -25 points each
- High: -15 points each
- Medium: -8 points each
- Low: -3 points each
-
Health Score: Combines security score with:
- License issues: -5 points each
- Outdated packages: -2 points each
| Grade | Score Range |
|---|---|
| A+ | 95–100 |
| A | 90–94 |
| B+ | 85–89 |
| B | 80–84 |
| C+ | 75–79 |
| C | 70–74 |
| D | 60–69 |
| F | 0–59 |
Development
git clone https://github.com/SanjaySundarMurthy/dep-audit.git
cd dep-audit
pip install -e ".[dev]"
pytest tests/ -v
License
MIT License — see LICENSE for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
dep_audit_cli-1.0.0.tar.gz
(27.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dep_audit_cli-1.0.0.tar.gz.
File metadata
- Download URL: dep_audit_cli-1.0.0.tar.gz
- Upload date:
- Size: 27.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
776e1ad3a5444d6101b6db6d41820c2ab31b14c22e80092568873b4ef2a6d3eb
|
|
| MD5 |
75d186e6bb40dc88d3661c93fe1a1aeb
|
|
| BLAKE2b-256 |
f01482951c104045a3efc5ad2ec6a98ca5b7af3f90c0839b2a52c8081ca35bab
|
File details
Details for the file dep_audit_cli-1.0.0-py3-none-any.whl.
File metadata
- Download URL: dep_audit_cli-1.0.0-py3-none-any.whl
- Upload date:
- Size: 23.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9a4f759e3f6b3e7d5bd50abdb45346aaed5e1fbdb6cc50dfd07bf1d1af015679
|
|
| MD5 |
509335885bf2e39955e3d6ca0b7da950
|
|
| BLAKE2b-256 |
56aa209c7b0944447f4b170725ccfd60f88b9d0955196c7b3a21d57e773ab871
|
