Skip to main content

Overview

corgea deps builds an offline dependency inventory from npm, Python, and Java manifests and lockfiles. It can inspect dependency graphs, explain why a package is present, compare dependency changes, generate a CycloneDX SBOM, and evaluate dependency policy. corgea deps does not require a Corgea account, token, or network access.

Inventory

Run an offline dependency scan from the project root:
corgea deps scan
Common commands:
corgea deps scan --format human
corgea deps scan --format json
corgea deps scan --format quiet --fail-on high
corgea deps scan --out-format sarif --out-file deps.sarif
corgea deps graph --format json
corgea deps explain lodash --format human
corgea deps diff --base origin/main --format json
corgea deps sbom --format cyclonedx --out bom.json
corgea deps policy init --exist-ok
Use --format human, agent, json, or quiet to control terminal output for scan, graph, explain, diff, and policy init. In detected agent environments, corgea deps defaults to the compact agent format; pass --format human to force normal terminal output. For corgea deps scan, use --out-format table, json, or sarif with optional --out-file when exporting a report. Do not combine --format and --out-format on the same deps scan command.

Policy

Initialize .corgea/deps.yml:
corgea deps policy init
The generated policy controls whether lockfiles are required, missing or stale lockfiles fail, and direct dependencies using wildcards, latest, or semver ranges are reported.
dependency_policy:
  require_lockfile: true
  fail_on_missing_lockfile: true
  fail_on_stale_lockfile: true
  direct_dependencies:
    fail_on_wildcard: true
    fail_on_latest: true
    warn_on_semver_range: true

CI Integration

Copy this workflow into .github/workflows/dependencies.yml.
name: Dependency inventory
on:
  pull_request:
  push:
    branches: [main]

jobs:
  corgea-deps:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm install -g @corgea/cli
      - name: Check dependency policy
        run: corgea deps scan --format quiet --fail-on high
To fail only when a pull request adds new high-severity dependency findings:
corgea deps diff --base origin/main --fail-on-new high --format quiet

Reference

Commands

CommandPurposeKey flags
corgea deps scan [PATH]Scan manifests and lockfiles, build inventory, evaluate policy--fail-on, --format, --out-format, --out-file
corgea deps graph [PATH]Print the dependency graph--format
corgea deps explain <PACKAGE> [PATH]Explain why a package is present--format
corgea deps diff --base <BASE> [PATH]Compare dependency graph against a git ref--base, --fail-on-new, --format
corgea deps sbom [PATH]Generate a CycloneDX SBOM--format, --out
corgea deps policy init [PATH]Write a starter .corgea/deps.yml policy file--exist-ok, --format

Formats

FlagValuesCommands
--formathuman, agent, json, quietscan, graph, explain, diff, policy init
--out-formattable, json, sarifscan only
--formatcyclonedxsbom only

Exit Codes

ExitCondition
0Command completed without a failing policy threshold
1deps scan --fail-on or deps diff --fail-on-new found matching findings
2Invalid arguments, unsupported formats, bad severity values, missing packages for explain, or other command errors

Severity Values

--fail-on and --fail-on-new accept info, low, medium, high, or critical.

Troubleshooting

Format Conflict

deps scan rejects commands that combine --format with --out-format.
deps failed: --format cannot be used with --out-format; choose one output selector
Use --format for terminal rendering and --out-format for exported scan reports.

Package Not Found

deps explain exits with code 2 when the package is not present in the scanned dependency graph.
deps failed: package not found: package-name