{"id":49242350,"url":"https://github.com/owasp/cve-lite-cli","last_synced_at":"2026-05-13T02:04:37.427Z","repository":{"id":347467621,"uuid":"1194046227","full_name":"OWASP/cve-lite-cli","owner":"OWASP","description":"Fast, developer-friendly JS/TS dependency vulnerability scanner with local lockfile scanning, OSV matching, direct vs transitive visibility, --fix, JSON output, and practical remediation guidance.","archived":false,"fork":false,"pushed_at":"2026-05-06T22:14:39.000Z","size":17952,"stargazers_count":146,"open_issues_count":14,"forks_count":16,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-05-06T22:36:50.190Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://owasp.org/cve-lite-cli/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OWASP.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["sonukapoor"]}},"created_at":"2026-03-27T21:27:59.000Z","updated_at":"2026-05-06T22:14:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"4aed0537-9fe0-4137-85a1-7d41e89b0578","html_url":"https://github.com/OWASP/cve-lite-cli","commit_stats":null,"previous_names":["sonukapoor/cve-lite-cli"],"tags_count":30,"template":false,"template_full_name":null,"purl":"pkg:github/OWASP/cve-lite-cli","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fcve-lite-cli","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fcve-lite-cli/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fcve-lite-cli/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fcve-lite-cli/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OWASP","download_url":"https://codeload.github.com/OWASP/cve-lite-cli/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OWASP%2Fcve-lite-cli/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32964445,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-12T23:30:32.555Z","status":"online","status_checked_at":"2026-05-13T02:00:07.132Z","response_time":115,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-24T20:07:46.084Z","updated_at":"2026-05-13T02:04:37.420Z","avatar_url":"https://github.com/OWASP.png","language":"TypeScript","funding_links":["https://github.com/sponsors/sonukapoor"],"categories":[],"sub_categories":[],"readme":"\n[![OWASP Incubator Project](https://img.shields.io/badge/OWASP-Incubator%20Project-48A646?logo=owasp)](https://owasp.org/cve-lite-cli)\n[![npm version](https://img.shields.io/npm/v/cve-lite-cli)](https://www.npmjs.com/package/cve-lite-cli)\n[![npm downloads](https://img.shields.io/npm/dm/cve-lite-cli)](https://www.npmjs.com/package/cve-lite-cli)\n[![CI](https://img.shields.io/github/actions/workflow/status/OWASP/cve-lite-cli/ci.yml?branch=main)](https://github.com/OWASP/cve-lite-cli/actions)\n[![GitHub Marketplace](https://img.shields.io/badge/GitHub%20Marketplace-CVE%20Lite%20CLI-blue)](https://github.com/marketplace/actions/cve-lite-cli)\n[![License](https://img.shields.io/github/license/OWASP/cve-lite-cli)](https://github.com/OWASP/cve-lite-cli/blob/main/LICENSE)\n[![Protected by CVE Lite CLI](https://img.shields.io/badge/Protected_by-CVE_Lite_CLI-brightgreen)](https://github.com/OWASP/cve-lite-cli)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12731/badge)](https://www.bestpractices.dev/projects/12731)\n\n\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://owasp.org/cve-lite-cli\"\u003e\n    \u003cimg src=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/logos-combined.svg\" alt=\"CVE Lite CLI — An OWASP Foundation Project\" width=\"500\"/\u003e\n  \u003c/a\u003e\n\n  \u003ch1\u003eCVE Lite CLI\u003c/h1\u003e\n\n  **🏆 Officially recognized as an [OWASP Incubator Project](https://owasp.org/cve-lite-cli)**\n\n  \u003cp\u003eVulnerability scanning that belongs in your terminal — not your CI pipeline.\u003cbr/\u003eScan your lockfile, get copy-and-run fix commands, and ship clean code.\u003c/p\u003e\n\n  \u003cstrong\u003eScan. Understand. Fix.\u003c/strong\u003e\n\n  \u003cbr/\u003e\n\n  \u003ctable\u003e\n    \u003ctr\u003e\n      \u003ctd align=\"center\" width=\"33%\"\u003e\u003cp\u003e🆓\u003c/p\u003e\u003cstrong\u003eFree to use\u003c/strong\u003e\u003cbr/\u003e\u003csub\u003eNo account, no subscription,\u003cbr/\u003eno cloud required\u003c/sub\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" width=\"33%\"\u003e\u003cp\u003e🏠\u003c/p\u003e\u003cstrong\u003eRuns locally\u003c/strong\u003e\u003cbr/\u003e\u003csub\u003eScans your lockfile on your machine.\u003cbr/\u003eNothing leaves your environment\u003c/sub\u003e\u003c/td\u003e\n      \u003ctd align=\"center\" width=\"33%\"\u003e\u003cp\u003e⚡\u003c/p\u003e\u003cstrong\u003eFast\u003c/strong\u003e\u003cbr/\u003e\u003csub\u003eResults in seconds. Local cache keeps\u003cbr/\u003erescans near-instant\u003c/sub\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n  \u003c/table\u003e\n\n  \u003cbr/\u003e\n\n  \u003cp\u003e\n    \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e •\n    \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e •\n    \u003ca href=\"#what-it-looks-like\"\u003eScreenshots\u003c/a\u003e •\n    \u003ca href=\"https://owasp.org/cve-lite-cli/docs/html-report\"\u003eHTML Report\u003c/a\u003e •\n    \u003ca href=\"https://owasp.org/cve-lite-cli/docs/comparison\"\u003eCompare\u003c/a\u003e •\n    \u003ca href=\"https://owasp.org/cve-lite-cli/docs/roadmap\"\u003eRoadmap\u003c/a\u003e •\n    \u003ca href=\"https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/CONTRIBUTING.md\"\u003eContributing\u003c/a\u003e  •\n    \u003ca href=\"https://owasp.org/slack/invite\"\u003eJoin Slack\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\n---\n\n## The problem with how security scanning works today\n\nMost security tooling is designed around pipelines, not people.\n\nDependabot files PRs you'll get to eventually. CI scanners block merges hours after the fact. Security dashboards surface a list of CVE IDs with no clear path to resolving them. By the time a developer is looking at a scan result, the code has already been reviewed and is waiting to ship.\n\nThe feedback loop is too slow to be useful, and too noisy to be trusted. Developers learn to ignore it.\n\nThere is also a more fundamental problem: these tools tell you what is vulnerable. Very few tell you what to actually do about it. The result is a gap between detection and remediation that security teams paper over with manual triage, and developers experience as alert fatigue.\n\n## A different model\n\nCVE Lite CLI is built around a different idea: **vulnerability scanning belongs at the developer's terminal, not at the end of a pipeline.**\n\nIt reads your lockfile locally, queries [OSV](https://osv.dev) for advisory data, and produces a concrete remediation plan — not a list of identifiers. You get copy-and-run `npm install`, `pnpm add`, `yarn add`, or `bun add` commands scoped to your package manager. You see exactly which packages are directly installed versus pulled in transitively. You can scan with no internet connection in restricted-network environments.\n\nThe tool is designed for the moment right before you push: fast, honest, and actionable.\n\n## Quick start\n\n```bash\nnpm install -g cve-lite-cli\ncve-lite /path/to/project\n```\n\nOr one-off with `npx`:\n\n```bash\nnpx cve-lite-cli /path/to/project\n```\n\nNo account. No configuration. No source code leaves your machine.\n\n## What it does\n\n- **Produces copy-and-run fix commands** — every finding comes with a package-manager-aware install command you can run immediately\n- **Distinguishes direct from transitive risk** — shows whether the vulnerability is in something you installed or buried three levels deep in a dependency chain\n- **Explains parent update paths** — for transitive npm findings, recommends `npm update \u003cparent\u003e` when the current parent range can resolve a known non-vulnerable child, or a parent upgrade when the range itself must change\n- **Usage-aware reachability** — optionally uses static analysis to detect whether vulnerable packages are actually imported in your code, cutting noise with `--usage` and `--only-used`\n- **Offline advisory DB** — sync advisory data ahead of time and scan with zero runtime API calls, designed for enterprise and air-gapped environments\n- **Interactive HTML report** — generate a self-contained dashboard with severity cards, a searchable findings table, and copy-ready fix commands (`--report`)\n- **Auto-fix mode** — apply validated direct dependency fixes and rescan automatically (`--fix`)\n- **CI-ready** — `--fail-on high` exits non-zero on findings at or above a severity threshold; a first-party [GitHub Action](https://github.com/marketplace/actions/cve-lite-cli) is available on the Marketplace\n- **Minimal footprint** — four runtime dependencies, intentionally kept small for a security tool\n\n## What it looks like\n\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003cth align=\"center\"\u003eTerminal output\u003c/th\u003e\n    \u003cth align=\"center\"\u003eHTML dashboard (\u003ccode\u003e--report\u003c/code\u003e)\u003c/th\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\"\u003e\n      \u003ca href=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/default-output.png\"\u003e\n        \u003cimg src=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/default-output.png\" alt=\"CVE Lite CLI terminal output\" width=\"440\"/\u003e\n      \u003c/a\u003e\n    \u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\n      \u003ca href=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/html-report-dashboard.png\"\u003e\n        \u003cimg src=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/html-report-dashboard.png\" alt=\"CVE Lite CLI HTML dashboard\" width=\"440\"/\u003e\n      \u003c/a\u003e\n    \u003c/td\u003e\n  \u003c/tr\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\"\u003e\u003csub\u003eDefault scan output · \u003ca href=\"https://owasp.org/cve-lite-cli/docs/reading-output\"\u003eoutput guide\u003c/a\u003e\u003c/sub\u003e\u003c/td\u003e\n    \u003ctd align=\"center\"\u003e\u003csub\u003eGenerated with \u003ccode\u003e--report\u003c/code\u003e · \u003ca href=\"https://owasp.org/cve-lite-cli/docs/html-report\"\u003eHTML report guide\u003c/a\u003e\u003c/sub\u003e\u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eVerbose terminal output — includes the full fix plan\u003c/summary\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/verbose-output-1.png\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/verbose-output-1.png\" alt=\"Verbose output part 1\" width=\"280\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/verbose-output-2.png\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/verbose-output-2.png\" alt=\"Verbose output part 2\" width=\"280\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/verbose-output-3.png\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/OWASP/cve-lite-cli/main/assets/verbose-output-3.png\" alt=\"Verbose output part 3\" width=\"280\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003c/details\u003e\n\n## Workflow integration\n\nCVE Lite CLI fits at every stage of the development workflow, not just CI.\n\n**Local development** — run a scan before opening a PR. The default output is fast and minimal. `--verbose` adds the full fix plan with dependency paths and prioritized remediation commands. `--report` opens an interactive HTML dashboard.\n\n**CI pipelines** — use `--fail-on high` to gate builds on severity. JSON output (`--json`) integrates with SIEM, dashboards, and custom automation. SARIF output (`--sarif`) writes a SARIF 2.1.0 file for direct integration with GitHub Code Scanning and other SARIF-compatible tools.\n\n**Restricted and enterprise environments** — sync the advisory database ahead of time with `cve-lite advisories sync`, then scan offline with `--offline`. No runtime outbound calls during the scan. Syncing ~217,065 advisory records completes in under 9 seconds.\n\n**GitHub Actions** — a first-party action is available on the Marketplace:\n\n```yaml\n- uses: OWASP/cve-lite-cli@v1\n  with:\n    verbose: \"true\"\n    fail-on: high\n```\n\nCVE Lite CLI scans its own dependencies in CI. See [`self-scan.yml`](https://github.com/OWASP/cve-lite-cli/blob/main/.github/workflows/self-scan.yml).\n\nFor full CI patterns including offline workflows, git hooks, and scripted automation, see the [CI and Workflow Integration guide](https://owasp.org/cve-lite-cli/docs/ci-integration).\n\n## How it compares\n\n| Capability | CVE Lite CLI | npm audit | OSV-Scanner | Snyk CLI | Socket CLI |\n|---|:---:|:---:|:---:|:---:|:---:|\n| JS/TS lockfile scanning | ✅ | ✅ | ✅ | ✅ | ✅ |\n| npm + pnpm + Yarn + Bun support | ✅ | ❌ | ✅ | ✅ | ✅ |\n| No account required | ✅ | ✅ | ✅ | ❌ | ❌ |\n| Free to use | ✅ | ✅ | ✅ | ❌ | ❌ |\n| Usage-aware reachability scanning | ✅ | ❌ | ❌ | ✅ | ⚠️ |\n| Direct vs transitive visibility | ✅ | ⚠️ | ✅ | ✅ | ✅ |\n| Copy-and-run fix commands | ✅ | ❌ | ❌ | ✅ | ⚠️ |\n| Transitive parent update guidance | ✅ | ❌ | ⚠️ | ⚠️ | ⚠️ |\n| Suggested remediation plan | ✅ | ❌ | ⚠️ | ✅ | ⚠️ |\n| JSON output | ✅ | ✅ | ✅ | ✅ | ✅ |\n| Offline/local advisory DB | ✅ | ❌ | ⚠️ | ❌ | ❌ |\n\n\u003csub\u003e✅ = built-in strength · ⚠️ = partial or workflow-dependent · ❌ = not a core strength\u003c/sub\u003e\n\nThe transitive parent guidance is a key difference: CVE Lite CLI avoids recommending direct installs for packages that are only present transitively. For npm lockfiles, it can identify when `npm update \u003cparent\u003e` is enough to re-resolve a known non-vulnerable child within the current parent range, and when the parent package itself needs an upgrade.\n\nFor detailed per-tool analysis, see [Comparison with other tools](https://owasp.org/cve-lite-cli/docs/comparison).\n\n## Real-world validation\n\nCVE Lite CLI has been evaluated against real open-source projects to verify that it surfaces meaningful issues — including non-obvious transitive vulnerabilities and complex upgrade paths — not just low-signal advisory matches.\n\n- [OWASP Juice Shop](https://owasp.org/cve-lite-cli/docs/case-studies/owasp-juice-shop) — scanning a deliberately vulnerable application with known dependency issues\n- [NestJS](https://owasp.org/cve-lite-cli/docs/case-studies/nestjs) — working through a real transitive dependency remediation sequence across a widely-used Node.js framework\n- [Analog](https://owasp.org/cve-lite-cli/docs/case-studies/analog) — scanning a modern pnpm v9 Angular monorepo (3,367 packages) with unexpected toolchain vulnerabilities\n\nThese are not demos. They are documented scans against real codebases with real findings, recorded before and after applying fix commands.\n\nIf you maintain an open-source JavaScript or TypeScript project and want CVE Lite CLI evaluated on it, open an issue and share the repository. Strong candidates may be turned into future public case studies.\n\n## Recognized by OWASP\n\nCVE Lite CLI is an [OWASP Incubator Project](https://owasp.org/cve-lite-cli), peer-reviewed and maintained under the Open Web Application Security Project Foundation. Being part of OWASP means:\n\n- **Peer-reviewed** by security professionals\n- **Community-driven** development and governance\n- **Vendor-neutral** with no commercial platform required\n- **Open source** with transparent security practices and a minimal dependency footprint\n\n**Where it fits in the OWASP ecosystem:**\n\nCVE Lite CLI fills a specific gap — fast, local-first JS/TS dependency scanning close to release time — that broader OWASP tools are not optimized for:\n\n| Tool | Focus |\n|---|---|\n| CVE Lite CLI | Lockfile-first, local developer CLI, remediation-focused, JS/TS |\n| OWASP Dependency-Check | Multi-language, SAST-style, broader ecosystem |\n| OWASP dep-scan | Multi-language and environment, SBOM and cloud-native |\n| OWASP Dependency-Track | Platform and SBOM management, not a local CLI |\n\nCVE Lite CLI complements these tools. It is not a replacement for continuous monitoring or full SBOM management — it is the fast local check you run before pushing.\n\n## Philosophy\n\nSecurity tooling has optimized heavily for breadth of detection and compliance reporting. That is useful at the platform level. It is the wrong model for the individual developer trying to ship clean code before end of day.\n\nDetection without remediation creates work without resolution. A vulnerability report that ends with a list of CVE IDs shifts the burden entirely onto the developer: look up each advisory, figure out which version is safe, work out whether it is a direct or transitive dependency, and construct the right install command by hand. That friction is why security findings go unresolved.\n\nCVE Lite CLI is built on the premise that **the closer a security tool is to the developer's natural workflow, the more likely it is to be used** — and that a tool that surfaces a problem alongside the fix is more valuable than one that only surfaces the problem.\n\n## What's next\n\nThe CLI is the foundation. The model — local-first, actionable, developer-native — extends naturally beyond the terminal.\n\nJSON and SARIF outputs make findings consumable by editors, dashboards, and automated workflows today. The next phase of the project is oriented around tighter developer integration: surfacing vulnerabilities at the point of dependency installation, not just at scan time; deeper IDE integration; and team-level visibility without requiring a cloud platform.\n\nSee the [Roadmap](https://owasp.org/cve-lite-cli/docs/roadmap) for the current plan.\n\n## Usage\n\n```bash\n# Basic scan\ncve-lite /path/to/project\n\n# Show all findings\ncve-lite /path/to/project --all\n\n# Focus on urgent findings only\ncve-lite /path/to/project --min-severity high\n\n# Full output: fix plan, paths, and complete table\ncve-lite /path/to/project --verbose\n\n# Apply validated direct dependency fixes and rescan\ncve-lite /path/to/project --fix\n\n# Production dependencies only (where supported by the lockfile)\ncve-lite /path/to/project --prod-only\n\n# Fail a build on high severity and above\ncve-lite /path/to/project --fail-on high\n\n# JSON output\ncve-lite /path/to/project --json\n\n# SARIF output for GitHub Code Scanning and other SARIF-compatible tools\ncve-lite /path/to/project --sarif\n\n# Generate an HTML vulnerability dashboard (opens in browser automatically)\ncve-lite /path/to/project --report\ncve-lite /path/to/project --report ./my-report --no-open\n\n# Scan project source files to check if vulnerable dependencies are actually imported\ncve-lite /path/to/project --usage\n\n# Filter out noise by only showing vulnerabilities in packages that are imported in your source code\ncve-lite /path/to/project --usage --only-used\n\n# Sync the local advisory DB for offline scans\ncve-lite advisories sync\n\n# Scan with zero runtime advisory API calls\ncve-lite /path/to/project --offline\n\n# Use a specific local advisory DB file\ncve-lite /path/to/project --offline-db /path/to/advisories.db\n\n# Use a custom advisory endpoint\ncve-lite /path/to/project --osv-url https://security.company.internal/osv\n\n# Show version\ncve-lite --version\n\n# Install AI assistant skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot\ncve-lite install-skill\n```\n\n### Why is `--usage` an opt-in flag?\n\nCVE Lite CLI is designed to be fast. Scanning a lockfile is nearly instantaneous, whereas running static reachability analysis across thousands of source files takes significantly more time. Static analysis can also produce false negatives when packages are used in build scripts or dynamically imported at runtime. Making `--usage` opt-in ensures the default lockfile scan remains instant and strictly reflects your dependency graph, while giving you the option to aggressively filter out unreachable noise when triaging findings.\n\n## Auto-fix mode (`--fix`)\n\n`--fix` applies validated direct dependency fixes using your project's package manager, then rescans automatically.\n\nIn the current version it:\n- applies only direct dependency fixes with a validated lowest known non-vulnerable target\n- uses `npm install`, `pnpm add`, `yarn add`, or `bun add` based on your lockfile\n- rescans automatically after applying fixes\n- does **not** auto-apply transitive overrides or guarantee application compatibility\n\n```bash\nnpx cve-lite-cli /path/to/project --fix\n```\n\nSee the [Fix mode guide](https://owasp.org/cve-lite-cli/docs/fix-mode) for output details and interpretation.\n\nFor a deeper explanation of how the CLI chooses direct upgrades, parent upgrades, and npm `update` recommendations for transitive findings, see the [Remediation Strategy guide](https://owasp.org/cve-lite-cli/docs/remediation-strategy).\n\n## AI assistant integration (`install-skill`)\n\nCVE Lite CLI can teach your AI coding assistant how to analyze scan results and produce a prioritized remediation plan. Run this once in your project root:\n\n```bash\ncve-lite install-skill\n```\n\nThis writes skill files for Claude Code, Codex CLI, Gemini CLI, Cursor, and GitHub Copilot into the current directory. Commit them so every developer on your team gets the context automatically.\n\nOnce installed, the workflow is:\n\n```bash\n# 1. Scan and save results to a JSON file\ncve-lite . --json\n\n# 2. Ask your AI assistant to analyze findings\n# In Claude Code: /cve-lite\n# In other tools: the skill is picked up automatically\n```\n\nThe AI assistant reads the JSON output, prioritizes findings by severity and relationship, checks whether vulnerable packages are actually imported in your source code, and produces a concrete remediation plan with the exact commands to run.\n\nSee the [AI Assistant Integration guide](https://owasp.org/cve-lite-cli/docs/ai-assistant-integration) for the full workflow and what the skill teaches the assistant.\n\n## HTML vulnerability report (`--report`)\n\nGenerate a self-contained HTML dashboard from any scan — severity cards, an interactive findings table with search, copy-ready fix commands, and breaking-change indicators on upgrades — all written to a local directory and opened automatically in your browser.\n\n```bash\ncve-lite /path/to/project --report\ncve-lite /path/to/project --report ./my-report --no-open\n```\n\nSee the [HTML Report guide](https://owasp.org/cve-lite-cli/docs/html-report) for the full option reference and output details.\n\n## Offline support\n\nFor teams in enterprise, restricted-network, or air-gapped environments:\n\n```bash\n# Sync advisory data locally\ncve-lite advisories sync\n\n# Scan with no runtime API calls\ncve-lite . --offline\n```\n\nSyncing ~217,065 advisory records runs in under 9 seconds after bulk SQLite ingestion optimizations — roughly **9.9x faster** than the initial implementation.\n\nSee the [Offline Advisory DB guide](https://owasp.org/cve-lite-cli/docs/offline-advisory-db) for the full workflow including CI, scheduled refresh, and controlled-network patterns.\n\n## Who uses it\n\nCVE Lite CLI is a good fit for:\n\n- **Independent developers and OSS maintainers** — quick pre-release check without any platform overhead\n- **Startups and small teams** — lightweight CI gate at no cost\n- **Consultants** — run a scan on a client project in seconds, with a clear fix plan to hand over\n- **Enterprise teams with restricted networks** — offline advisory DB workflow removes the need for runtime outbound calls during scans\n- **Teams running npm, pnpm, Yarn, and Bun** — unified scanning across all four package managers in one tool\n\nSee the [CI and Workflow Integration guide](https://owasp.org/cve-lite-cli/docs/ci-integration) for concrete patterns across these scenarios.\n\n## Current limitations\n\n- does not detect malicious packages before they appear in advisory data\n- does not perform behavioral malware detection or package content analysis\n- does not prove exploitability or verify runtime reachability\n- does not scan container images, binaries, secrets, or IaC\n- does not replace a full application security program\n- currently focused on JS/TS dependency scanning\n- local advisory sync performance will need continued optimization as the advisory dataset grows\n\n## Dependency footprint\n\n**Runtime:** `yaml` · `yarn-lockfile` · `better-sqlite3` · `fflate`\n\n**Dev only:** `@types/node` · `tsx` · `typescript`\n\nThis is intentional. Because CVE Lite CLI is a security-oriented tool, runtime dependencies are kept minimal and reviewable.\n\n## Roadmap\n\nSee the [Roadmap](https://owasp.org/cve-lite-cli/docs/roadmap) for the full plan. Phases 1 and 2 are complete. Phase 3 (ecosystem coverage: Bun, Deno, parser improvements) is in progress.\n\n## Troubleshooting\n\nSee the [Troubleshooting guide](https://owasp.org/cve-lite-cli/docs/troubleshooting) for common issues: no lockfile found, zero results, slow advisory sync, offline DB errors, `--fix` skipping findings, and CI failures.\n\n## Parser coverage\n\nSee the [Parser Coverage guide](https://owasp.org/cve-lite-cli/docs/parser-coverage) for supported lockfile formats, selection priority, the `package.json` fallback, and known edge cases including monorepos and private registries.\n\nSee the [Remediation Strategy guide](https://owasp.org/cve-lite-cli/docs/remediation-strategy) for how CVE Lite CLI chooses package upgrade targets and parent update paths.\n\n## Website\n\nThe public documentation site is published at [owasp.org/cve-lite-cli](https://owasp.org/cve-lite-cli/) and is built with Docusaurus from [`website/`](website/). All public guides and case studies live under [`website/docs/`](website/docs/) — that folder is the single source of truth for user-facing documentation.\n\n```bash\ncd website\nnpm install\nnpm run build\n```\n\n## Governance\n\nCVE Lite CLI is an OWASP Incubator Project maintained by Sonu Kapoor as project lead. The project follows a single-maintainer (benevolent dictator) governance model. The project lead makes final decisions on scope, design direction, and releases after considering input from contributors and the wider community.\n\n### Roles\n\n- **Project lead** — currently Sonu Kapoor. Owns the roadmap, sets release cadence, reviews and merges pull requests, and acts as the OWASP project leader for the Foundation.\n- **Contributors** — anyone who opens an issue, proposes a pull request, or improves the documentation. No prior commit history is required to contribute, and contributions are welcome from outside OWASP.\n\n### Decision-making\n\n- Significant changes (new features, breaking changes, scope decisions) start as a GitHub issue so the design can be discussed in public before code is written.\n- Pull requests are reviewed by the project lead. Small fixes can land directly. Larger changes may require revision or follow-up issues.\n- Releases are cut by the project lead when accumulated changes warrant a version bump, following the process in [CONTRIBUTING.md](https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/CONTRIBUTING.md).\n\n### Dispute resolution\n\nTechnical disagreements are resolved by the project lead after weighing contributor input. Disputes that relate to community standards or [Code of Conduct](https://github.com/OWASP/cve-lite-cli/blob/main/CODE_OF_CONDUCT.md) enforcement can be escalated to the OWASP Foundation, which acts as a backstop for the project's community norms.\n\nThis governance model may evolve as the contributor base grows. Any change to the model will be documented here and announced via the GitHub repository.\n\n## Security and verification\n\nCVE Lite CLI signs both the source code release and the build artifact for each release. Either signature is sufficient on its own.\n\n**Source code (signed git tags).** Starting with releases after v1.12.1, every release tag is a GPG-signed annotated tag. The project lead's public key is published at [`https://github.com/sonukapoor.gpg`](https://github.com/sonukapoor.gpg). The private key is held only on the project lead's local machine — not on GitHub, not on the npm registry, not in CI. Verify with:\n\n```bash\ncurl -sSL https://github.com/sonukapoor.gpg | gpg --import\ngit tag -v vX.Y.Z\n```\n\n**Release tarball (Sigstore Artifact Attestations).** Each GitHub release attaches an `cve-lite-cli-X.Y.Z.tgz` asset signed at build time via [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds). The signing keys are ephemeral OIDC-issued keys generated per build, providing SLSA Level 2 equivalent build provenance. Verify with:\n\n```bash\ngh attestation verify cve-lite-cli-X.Y.Z.tgz --repo OWASP/cve-lite-cli\n```\n\n**npm-installed package.** The npm registry adds an ECDSA signature to every published package, independent of the project's own signing keys above:\n\n```bash\nnpm audit signatures\n```\n\nFor full verification details, fingerprints, and security issue reports, see [SECURITY.md](https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/SECURITY.md). For the project's threat model, trust boundaries, and how common implementation weaknesses are countered, see the [Security Assurance Case](https://owasp.org/cve-lite-cli/docs/security-assurance-case).\n\n## Contributing\n\nFeedback on output clarity, remediation guidance, ecosystem coverage, and CI usage is especially valuable.\n\nSee [CONTRIBUTING.md](https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/CONTRIBUTING.md) to get started.\n\n## Add a badge to your project\n\nIf you use CVE Lite CLI in your project, add this badge to your README:\n\n```markdown\n[![Protected by CVE Lite CLI](https://img.shields.io/badge/Protected_by-CVE_Lite_CLI-brightgreen)](https://github.com/OWASP/cve-lite-cli)\n```\n\n[![Protected by CVE Lite CLI](https://img.shields.io/badge/Protected_by-CVE_Lite_CLI-brightgreen)](https://github.com/OWASP/cve-lite-cli)\n\n## Community and support\n\nFor bug reports and feature requests: [GitHub Issues](https://github.com/OWASP/cve-lite-cli/issues)\n\nHelpful feedback includes reproducible bug reports, real-world lockfile edge cases, ideas for clearer output and remediation guidance, and CI or JSON workflow examples.\n\nFor security-related reporting: [SECURITY.md](https://github.com/OWASP/cve-lite-cli/blob/main/src/docs/SECURITY.md)\n\nThis project follows a [Code of Conduct](https://github.com/OWASP/cve-lite-cli/blob/main/CODE_OF_CONDUCT.md). Please review it before participating.\n\nIf CVE Lite CLI helps your release workflow, a [GitHub star](https://github.com/OWASP/cve-lite-cli) helps more developers find it.\n\n---\n\n*Most tools tell you what's wrong. CVE Lite CLI tells you what to run.*\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowasp%2Fcve-lite-cli","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fowasp%2Fcve-lite-cli","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowasp%2Fcve-lite-cli/lists"}