Overview
corgea deps builds an offline dependency inventory from npm, Python, and Java manifests and lockfiles. It can inspect dependency graphs, explain why a package is present, compare dependency changes, generate a CycloneDX SBOM, and evaluate dependency policy.
corgea deps does not require a Corgea account, token, or network access.
Inventory
Run an offline dependency scan from the project root:--format human, agent, json, or quiet to control terminal output for scan, graph, explain, diff, and policy init. In detected agent environments, corgea deps defaults to the compact agent format; pass --format human to force normal terminal output.
For corgea deps scan, use --out-format table, json, or sarif with optional --out-file when exporting a report. Do not combine --format and --out-format on the same deps scan command.
Policy
Initialize.corgea/deps.yml:
latest, or semver ranges are reported.
CI Integration
Copy this workflow into.github/workflows/dependencies.yml.
Reference
Commands
| Command | Purpose | Key flags |
|---|---|---|
corgea deps scan [PATH] | Scan manifests and lockfiles, build inventory, evaluate policy | --fail-on, --format, --out-format, --out-file |
corgea deps graph [PATH] | Print the dependency graph | --format |
corgea deps explain <PACKAGE> [PATH] | Explain why a package is present | --format |
corgea deps diff --base <BASE> [PATH] | Compare dependency graph against a git ref | --base, --fail-on-new, --format |
corgea deps sbom [PATH] | Generate a CycloneDX SBOM | --format, --out |
corgea deps policy init [PATH] | Write a starter .corgea/deps.yml policy file | --exist-ok, --format |
Formats
| Flag | Values | Commands |
|---|---|---|
--format | human, agent, json, quiet | scan, graph, explain, diff, policy init |
--out-format | table, json, sarif | scan only |
--format | cyclonedx | sbom only |
Exit Codes
| Exit | Condition |
|---|---|
| 0 | Command completed without a failing policy threshold |
| 1 | deps scan --fail-on or deps diff --fail-on-new found matching findings |
| 2 | Invalid arguments, unsupported formats, bad severity values, missing packages for explain, or other command errors |
Severity Values
--fail-on and --fail-on-new accept info, low, medium, high, or critical.
Troubleshooting
Format Conflict
deps scan rejects commands that combine --format with --out-format.
--format for terminal rendering and --out-format for exported scan reports.
Package Not Found
deps explain exits with code 2 when the package is not present in the scanned dependency graph.
