Usage
dep-scan is ideal for use during continuous integration (CI) and as a local development tool.
Scanning projects locally (Python version)
sudo npm install -g @cyclonedx/cdxgen
# Normal version recommended for most users (MIT)
pip install owasp-depscan
# For a performant version, that uses valkey cache during risk audit (BSD-3-Clause)
pip install owasp-depscan[perf]
This would install two commands called cdxgen and depscan.
You can invoke the scan command directly with the various options.
cd <project to scan>
depscan --src $PWD --reports-dir $PWD/reports
The full list of options is below:
usage: cli.py [-h] [--no-banner] [] [--csaf] [--sync] [--profile {appsec,research,operational,threat-modeling,license-compliance,generic}] [--no-suggest] [--risk-audit] [--private-ns PRIVATE_NS] [-t PROJECT_TYPE] [--bom BOM]
[-i SRC_DIR_IMAGE] [-o REPORT_FILE] [--reports-dir REPORTS_DIR] [--report-template REPORT_TEMPLATE] [--report-name REPORT_NAME] [--no-error] [--no-license-scan] [--deep] [--no-universal] [--no-vuln-table]
[--threatdb-server THREATDB_SERVER] [--threatdb-username THREATDB_USERNAME] [--threatdb-password THREATDB_PASSWORD] [--threatdb-token THREATDB_TOKEN] [--server] [--server-host SERVER_HOST] [--server-port SERVER_PORT]
[--cdxgen-server CDXGEN_SERVER] [--debug] [--explain] [--reachables-slices-file REACHABLES_SLICES_FILE] [-v]
Fully open-source security and license audit for application dependencies and container images based on known vulnerabilities and advisories.
options:
-h, --help show this help message and exit
--no-banner Do not display banner
Cache vulnerability information in platform specific user_data_dir
--csaf Generate a OASIS CSAF VEX document
--sync Sync to receive the latest vulnerability data. Should have invoked cache first.
--profile {appsec,research,operational,threat-modeling,license-compliance,generic}
Profile to use while generating the BOM.
--no-suggest Disable suggest mode
--risk-audit Perform package risk audit (slow operation). Npm only.
--private-ns PRIVATE_NS
Private namespace to use while performing oss risk audit. Private packages should not be available in public registries by default. Comma separated values accepted.
-t PROJECT_TYPE, --type PROJECT_TYPE
Override project type if auto-detection is incorrect
--bom BOM Examine using the given Software Bill-of-Materials (SBOM) file in CycloneDX format. Use cdxgen command to produce one.
-i SRC_DIR_IMAGE, --src SRC_DIR_IMAGE
Source directory or container image or binary file
-o REPORT_FILE, --report_file REPORT_FILE
DEPRECATED. Use reports directory since multiple files are created. Report filename with directory
--reports-dir REPORTS_DIR
Reports directory
--report-template REPORT_TEMPLATE
Jinja template file used for rendering a custom report
--report-name REPORT_NAME
Filename of the custom report written to the --reports-dir
--no-error UNUSED: Continue on error to prevent build from breaking
--no-license-scan UNUSED: dep-scan doesn't perform license scanning by default
--deep Perform deep scan by passing this --deep argument to cdxgen. Useful while scanning docker images and OS packages.
--no-universal Depscan would attempt to perform a single universal scan instead of individual scans per language type.
--no-vuln-table Do not print the table with the full list of vulnerabilities. This can help reduce console output.
--threatdb-server THREATDB_SERVER
ThreatDB server url. Eg: https://api.sbom.cx
--threatdb-username THREATDB_USERNAME
ThreatDB username
--threatdb-password THREATDB_PASSWORD
ThreatDB password
--threatdb-token THREATDB_TOKEN
ThreatDB token for token based submission
--server Run depscan as a server
--server-host SERVER_HOST
depscan server host
--server-port SERVER_PORT
depscan server port
--cdxgen-server CDXGEN_SERVER
cdxgen server url. Eg: http://cdxgen:9090
--debug Run depscan in debug mode.
--explain Makes depscan to explain the various analysis. Useful for creating detailed reports.
--reachables-slices-file REACHABLES_SLICES_FILE
Path for the reachables slices file created by atom.
--purl SEARCH_PURL Scan a single package url.
-v, --version Display the version
Scanning containers locally (Python version)
Scan a Java project.
depscan --src <path> -o containertests/depscan-scan.json -t java
Scan latest tag of the container shiftleft/scan-slim
depscan --src shiftleft/scan-slim -o containertests/depscan-scan.json -t docker
Include license to the type to perform the license audit.
depscan --src shiftleft/scan-slim -o containertests/depscan-scan.json -t docker,license
You can also specify the image using the sha256 digest
depscan --src redmine@sha256:a5c5f8a64a0d9a436a0a6941bc3fb156be0c89996add834fe33b66ebeed2439e -o containertests/depscan-redmine.json -t docker
You can also save container images using docker or podman save command and pass the archive to depscan for scanning.
docker save -o /tmp/scanslim.tar shiftleft/scan-slim:latest
# podman save --format oci-archive -o /tmp/scanslim.tar shiftleft/scan-slim:latest
depscan --src /tmp/scanslim.tar -o reports/depscan-scan.json -t docker
Refer to the docker tests under the GitHub action workflow for this repo for more examples.
Scanning projects locally (Docker container)
ghcr.io/owasp-dep-scan/dep-scan container image can be used to perform the scan.
To scan with default settings
docker run --rm -v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
To scan with custom environment variables based configuration
docker run --rm \
-e VDB_HOME=/db \
-e GITHUB_TOKEN=<token> \
-v /tmp:/db \
-v $PWD:/app ghcr.io/owasp-dep-scan/dep-scan --src /app --reports-dir /app/reports
In the above example, /tmp is mounted as /db into the container. This directory is then specified as VDB_HOME for caching the vulnerability information. This way the database can be cached and reused to improve performance.