{"id":50148647,"url":"https://github.com/nevin100/dep-inspector-cli","last_synced_at":"2026-05-24T07:02:30.591Z","repository":{"id":351596321,"uuid":"1211681722","full_name":"Nevin100/Dep-inspector-cli","owner":"Nevin100","description":"Advanced CLI tool to analyze your Node.js project dependencies — with vulnerability scanning, outdated version detection, dependency chain tracing, and optional AI-powered insights via Groq.","archived":false,"fork":false,"pushed_at":"2026-05-22T18:49:45.000Z","size":55,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"Main","last_synced_at":"2026-05-22T21:57:45.807Z","etag":null,"topics":["chalk","commander","groq-sdk","npm","npm-package","ora","semver","treeify","typescript"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/dep-inspector-cli","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Nevin100.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-15T16:32:46.000Z","updated_at":"2026-05-22T19:14:12.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Nevin100/Dep-inspector-cli","commit_stats":null,"previous_names":["nevin100/dep-inspector-nevin","nevin100/dep-inspector-cli"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Nevin100/Dep-inspector-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nevin100%2FDep-inspector-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nevin100%2FDep-inspector-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nevin100%2FDep-inspector-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nevin100%2FDep-inspector-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Nevin100","download_url":"https://codeload.github.com/Nevin100/Dep-inspector-cli/tar.gz/refs/heads/Main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Nevin100%2FDep-inspector-cli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33424573,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T22:14:44.296Z","status":"online","status_checked_at":"2026-05-24T02:00:06.296Z","response_time":57,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chalk","commander","groq-sdk","npm","npm-package","ora","semver","treeify","typescript"],"created_at":"2026-05-24T07:02:28.186Z","updated_at":"2026-05-24T07:02:30.586Z","avatar_url":"https://github.com/Nevin100.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dep-inspector-cli\n\n\u003e DevOps-grade dependency, security \u0026 infrastructure scanner for Node.js projects.\n\n[![npm version](https://img.shields.io/npm/v/dep-inspector-cli)](https://www.npmjs.com/package/dep-inspector-cli)\n[![npm downloads](https://img.shields.io/npm/dw/dep-inspector-cli)](https://www.npmjs.com/package/dep-inspector-cli)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![TypeScript](https://img.shields.io/badge/TypeScript-5.x-blue)](https://www.typescriptlang.org/)\n[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/Nevin100/Dep-inspector-nevin/pulls)\n\n---\n\n## What's new in v2\n\nVersion 2 transforms `dep-inspector` from a dependency analyzer into a full **DevOps security toolkit** — covering secrets, Docker, CI/CD pipelines, ports, and logging. All features work **without any API key**. AI insights are optional.\n\n---\n\n## Features\n\n| Command | What it does |\n|---|---|\n| `dep-inspector` | Dependency tree + vulnerability scan (v1) |\n| `scan:secrets` | Detect hardcoded API keys, .env leaks, private keys |\n| `scan:vulns` | npm audit wrapper with severity thresholds |\n| `scan:docker` | Dockerfile \u0026 docker-compose security analysis |\n| `scan:ci` | GitHub Actions workflow linting |\n| `scan:ports` | Open port detection \u0026 process monitoring |\n| `scan:logs` | Winston/Morgan/Pino logger health check |\n| `scan:all` | Run everything, generate a full report |\n\n---\n\n## Installation\n\n```bash\nnpm install -g dep-inspector-cli\n```\n\n---\n\n## Usage\n\n### Dependency Analysis (v1)\n\n```bash\ndep-inspector                   # Full analysis\ndep-inspector analyze           # Same, explicit subcommand\ndep-inspector --depth 3         # Limit tree depth\ndep-inspector --json            # Machine-readable output\ndep-inspector --ai              # AI-powered insights (optional, needs GROQ_API_KEY)\n```\n\n### Security Scans (v2)\n\n```bash\ndep-inspector scan:secrets               # Scan current directory\ndep-inspector scan:secrets --dir ./src   # Scan specific directory\ndep-inspector scan:secrets --ai          # With AI explanations (optional)\n\ndep-inspector scan:docker                # Analyze Dockerfile\ndep-inspector scan:docker --file ./docker/Dockerfile\n\ndep-inspector scan:ci                    # Lint GitHub Actions workflows\ndep-inspector scan:ci --dir .github/workflows\n\ndep-inspector scan:ports                 # Check open ports\n\ndep-inspector scan:logs                  # Logger health check\n\ndep-inspector scan:all                   # Full DevOps scan\ndep-inspector scan:all --report          # + saves HTML report\ndep-inspector scan:all --json            # + JSON output\ndep-inspector scan:all --ai              # + AI summary (optional)\n```\n\n---\n\n## What gets detected\n\n### `scan:secrets`\n- AWS Access Keys \u0026 Secret Keys\n- OpenAI, Groq, GitHub tokens\n- Hardcoded JWT secrets\n- MongoDB / PostgreSQL connection strings\n- Stripe \u0026 Razorpay live keys\n- Generic `password=` / `secret=` assignments\n- Accidentally committed `.env` files\n\n### `scan:docker`\n- Container running as root (no `USER` directive)\n- Missing `HEALTHCHECK`\n- `:latest` tag usage (non-reproducible builds)\n- Secrets hardcoded in `ENV`/`ARG`\n- Missing `.dockerignore`\n- `npm install` without `--omit=dev` in production\n- Single-stage builds (image size warning)\n\n### `scan:ci`\n- Hardcoded secrets in workflow YAML\n- Deprecated `::set-output` command\n- `pull_request_target` + `actions/checkout` (privilege escalation risk)\n- Actions pinned to `@main` / `@latest` instead of a version\n- Missing dependency cache\n- No `timeout-minutes` (stuck jobs)\n\n### `scan:ports`\n- Lists all open/listening ports\n- Flags database ports (Redis, MongoDB, PostgreSQL, MySQL) publicly exposed\n- Flags FTP, Telnet, and other insecure services\n\n### `scan:logs`\n- Detects missing logger (console.log in production)\n- Checks for `winston-daily-rotate-file` (log rotation)\n- Validates `LOG_LEVEL` environment variable\n\n---\n\n## Output\n\nAll commands support `--json` for machine-readable output:\n\n```bash\ndep-inspector scan:secrets --json \u003e secrets-report.json\ndep-inspector scan:all --json \u003e full-report.json\n```\n\nSeverity levels: `HIGH` · `MEDIUM` · `LOW`\n\n---\n\n## AI Setup (optional)\n\nThe `--ai` flag sends findings to Groq LLM for human-readable explanations and fix suggestions. It is **completely optional** — every scan works without it.\n\n```bash\n# Set once in your shell profile or .env\nexport GROQ_API_KEY=your_key_here\n\ndep-inspector scan:secrets --ai\ndep-inspector scan:all --ai\n```\n\nGet a free key at [console.groq.com](https://console.groq.com). If the key is missing, the tool runs normally and skips AI output with a note.\n\n---\n\n## CI/CD Integration\n\n```yaml\n# .github/workflows/security.yml\nname: Security Scan\n\non: [push, pull_request]\n\njobs:\n  dep-inspector:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n\n      - name: Install dep-inspector\n        run: npm install -g dep-inspector-cli\n\n      - name: Scan secrets\n        run: dep-inspector scan:secrets --json \u003e secrets.json\n\n      - name: Scan dependencies\n        run: dep-inspector --json \u003e deps.json\n\n      - name: Lint CI workflows\n        run: dep-inspector scan:ci\n\n      - name: Upload reports\n        uses: actions/upload-artifact@v4\n        with:\n          name: dep-inspector-reports\n          path: \"*.json\"\n```\n\n**Fail build on HIGH severity secrets:**\n\n```bash\ndep-inspector scan:secrets --json | node -e \"\n  let d = '';\n  process.stdin.on('data', c =\u003e d += c);\n  process.stdin.on('end', () =\u003e {\n    const { findings } = JSON.parse(d);\n    const high = findings.filter(f =\u003e f.severity === 'HIGH').length;\n    if (high \u003e 0) { console.error(high + ' HIGH severity secrets found. Failing build.'); process.exit(1); }\n    console.log('No HIGH severity secrets found.');\n  });\n\"\n```\n\n---\n\n## Project Structure\n\n```\ndep-inspector/\n├── src/\n│   ├── index.ts                   # CLI entry — all commands registered here\n│   ├── commands/\n│   │   ├── analyze.ts             # v1 dependency analysis\n│   │   ├── scan-secrets.ts        # secrets \u0026 key scanner\n│   │   ├── scan-docker.ts         # Dockerfile analysis\n│   │   ├── scan-ci.ts             # GitHub Actions linter\n│   │   ├── scan-ports.ts          # port monitor\n│   │   ├── scan-logs.ts           # logger health check\n│   │   └── scan-all.ts            # full scan orchestrator\n│   └── utils/\n│       ├── ai.ts                  # optional Groq integration\n│       ├── audit.ts               # npm audit wrapper\n│       ├── deps.ts                # npm ls wrapper\n│       ├── tree.ts                # tree printer\n│       └── version.ts             # semver comparison\n├── package.json\n└── tsconfig.json\n```\n\n---\n\n## Requirements\n\n- Node.js \u003e= 16\n- npm in PATH\n- `GROQ_API_KEY` — only needed for `--ai` flag\n\n---\n\n## Tech Stack\n\n- **TypeScript** — fully typed\n- **Commander.js** — CLI argument parsing\n- **Chalk** — colored output\n- **Ora** — terminal spinners\n- **Groq SDK** — optional AI layer (direct, no LangChain dependency)\n- **Semver** — version comparison\n\n---\n\n## Roadmap\n\n- [ ] `scan:secrets` — `.git` history scanning (catch keys that were deleted but committed)\n- [ ] `scan:docker` — docker-compose multi-service analysis\n- [ ] `--report` — full HTML report with charts\n- [ ] Slack / Discord webhook alerts\n- [ ] GitHub App integration (PR comments)\n- [ ] Custom rule config via `.depinspectorrc`\n\n---\n\n## Contributing\n\n```bash\ngit clone https://github.com/Nevin100/Dep-inspector-nevin\ncd Dep-inspector-nevin\nnpm install\nnpm run build\n```\n\nPull requests welcome. For major changes, open an issue first.\n\n---\n\n## License\n\nMIT © [Nevin Bali](https://github.com/Nevin100)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnevin100%2Fdep-inspector-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnevin100%2Fdep-inspector-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnevin100%2Fdep-inspector-cli/lists"}