CLI Scanner
Prerequisites:
- Node.js 18 or higher
- npm (comes with Node.js)
- A Deptic API key (generate at deptic.in/dashboard/settings)
Installation:
bash
npm install -g deptic-scanVerify installation:
bash
deptic-scan --version
# deptic-scan v1.0.0Basic usage:
bash
# Navigate to your project directory
cd /path/to/your/project
# Run the scanner
deptic-scan
# You will be prompted for your API key on first run
# The key is saved locally for convenienceWhat happens when you run deptic-scan:
1
Detects current working directory name as project name
2
Searches recursively (max depth 5) for manifest files — package.json, requirements.txt, pyproject.toml, pom.xml, go.mod, Cargo.toml, Gemfile, composer.json
3
Excludes noise directories: node_modules, .venv, venv, target, dist, build, vendor, .git
4
Reads and sends manifest file contents to POST /api/scan-local
5
Waits for scan to complete (progress shown in terminal)
6
Prints results table
7
Downloads PDF report, CycloneDX JSON, and SPDX file to current directory
Example terminal output:
┌─────────────────────────────────────┐
│ DEPTIC Security Scanner │
│ Software Supply Chain Analysis │
└─────────────────────────────────────┘
Project : spring-petclinic
Path : D:\projects\spring-petclinic
✓ Found 1 manifest file
✓ pom.xml (maven)
Ecosystems: maven
┌─────────────────────────────────────┐
│ SCAN RESULTS │
├─────────────────────────────────────┤
│ Inventory Size 63 │
│ Direct Library 15 │
│ Transitive 48 │
│ License Spread 14 │
├─────────────────────────────────────┤
│ Active Threats 12 │
│ Medium CVEs 12 │
├─────────────────────────────────────┤
│ NTIA Score 85/100 │
│ Compliance PARTIALLY COMPLIANT │
└─────────────────────────────────────┘
Downloading reports...
✓ deptic-report-spring-petclinic.pdf
✓ deptic-sbom-spring-petclinic.cyclonedx.json
✓ deptic-sbom-spring-petclinic.spdx
Reports saved to current directory.
View full report: https://deptic.in/dashboardFlags:
| Flag | Description | Default |
|---|---|---|
| --api-key | Provide API key non-interactively | Prompts if not set |
| --output=json | Print results as JSON instead of table | table |
| --no-download | Skip report file downloads | false |
| --depth=N | Max directory scan depth | 5 |