Package Exports
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (depwarden) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
DepWarden CLI
Anonymous, zero‑account, zero‑dependency software composition analysis for CI. Scans a dependency manifest / lockfile / SBOM against DepWarden and prints prioritized findings — vulnerabilities (OSV + CISA KEV + EPSS), supply‑chain / typosquat risk, deprecated/low‑health deps, licenses and malware.
It uploads only the manifest text you point it at — never your source code or binaries.
Use it (no install)
# Node >= 18
node index.mjs scan package-lock.json --fail-on high
cat pom.xml | node index.mjs scan -
node index.mjs scan bom.json --json # machine-readable (CycloneDX/SPDX SBOMs supported)Options:
--fail-on <critical|high|medium|low|never>— exit non‑zero when a finding at/above this severity exists (defaulthigh)--name <NAME>— project label--api <URL>— self‑hosted DepWarden base URL (defaulthttps://depwarden.in)--json— emit the full scan JSON
Exit codes: 0 clean · 1 gating findings present · 2 usage/network error.
GitHub Action
# .github/workflows/sca.yml
name: SCA
on: [push, pull_request]
jobs:
depwarden:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Rushabh5000/dep-warden/cli@main
with:
file: package-lock.json
fail-on: highNo token, no secret, no account — unlike Snyk/Black Duck/Mend, which require sign‑up and send your project to their cloud.