{"id":51200717,"url":"https://github.com/projectdiscovery/depx","last_synced_at":"2026-06-28T00:03:05.379Z","repository":{"id":366013969,"uuid":"1256179015","full_name":"projectdiscovery/depx","owner":"projectdiscovery","description":"Malicious package \u0026 supply-chain intelligence","archived":false,"fork":false,"pushed_at":"2026-06-19T21:02:20.000Z","size":6291,"stargazers_count":74,"open_issues_count":1,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-06-19T23:04:14.150Z","etag":null,"topics":["dependency","dependency-analysis","sbom-generator","supply-chain","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://projectdiscovery.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/projectdiscovery.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-06-01T14:33:45.000Z","updated_at":"2026-06-19T21:02:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/projectdiscovery/depx","commit_stats":null,"previous_names":["projectdiscovery/depx"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/projectdiscovery/depx","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectdiscovery%2Fdepx","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectdiscovery%2Fdepx/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectdiscovery%2Fdepx/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectdiscovery%2Fdepx/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/projectdiscovery","download_url":"https://codeload.github.com/projectdiscovery/depx/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/projectdiscovery%2Fdepx/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34872286,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-27T02:00:06.362Z","response_time":126,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency","dependency-analysis","sbom-generator","supply-chain","supply-chain-security"],"created_at":"2026-06-28T00:03:04.643Z","updated_at":"2026-06-28T00:03:05.372Z","avatar_url":"https://github.com/projectdiscovery.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"  \u003ch1 align=\"center\"\u003edepx\u003c/h1\u003e\n\n\u003ch4 align=\"center\"\u003eMalicious package \u0026amp; supply-chain intelligence\u003c/h4\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://opensource.org/licenses/MIT\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-_red.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://goreportcard.com/report/github.com/projectdiscovery/depx\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/projectdiscovery/depx\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/projectdiscovery/depx/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/release/projectdiscovery/depx\"\u003e\u003c/a\u003e\n\u003ca href=\"https://twitter.com/pdiscoveryio\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/pdiscoveryio.svg?logo=twitter\"\u003e\u003c/a\u003e\n\u003ca href=\"https://discord.gg/projectdiscovery\"\u003e\u003cimg src=\"https://img.shields.io/discord/695645237418131507.svg?logo=discord\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#features\"\u003eFeatures\u003c/a\u003e •\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e •\n  \u003ca href=\"#usage\"\u003eUsage\u003c/a\u003e •\n  \u003ca href=\"#running-depx\"\u003eRunning depx\u003c/a\u003e •\n  \u003ca href=\"#json-output\"\u003eJSON\u003c/a\u003e •\n  \u003ca href=\"https://discord.gg/projectdiscovery\"\u003eJoin Discord\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/assets/depx-feed-screenshot.png\" alt=\"depx feed: latest malicious packages\" width=\"95%\"\u003e\n\u003c/p\u003e\n\n---\n\n**depx** is a fast, passive supply-chain intelligence CLI. It tells you whether a package is **known malicious** (hijacked publishes, credential stealers, install-script backdoors) by matching against [OpenSSF Malicious Packages](https://github.com/ossf/malicious-packages) data (`MAL-*`, OSV format) and a live intelligence feed curated from [X (Grok API)](https://x.com), refreshed hourly.\n\nIt answers four questions in seconds:\n\n1. **What got compromised recently?** The live feed of newly disclosed malicious packages.\n2. **Is this specific package safe to install?** Check any package before you add it.\n3. **Have I already installed anything malicious on my system?** Audit local lockfiles and SBOMs.\n4. **Do my GitHub organization's projects ship any malicious packages?** Scan whole orgs and repos.\n\n# Features\n\n- **Intelligence dashboard**: default view with activity, ecosystems, impacted namespaces, and disclosure age.\n- **Compromised package feed**: time-ordered cards via `depx feed` (or `--list` for one line per result).\n- **Local dependency audit**: scan lockfiles \u0026 SBOMs against a compiled local index.\n- **GitHub org \u0026 repo audit**: pull dependency-graph SBOM exports and audit at scale.\n- **CI-ready**: stable exit codes, `--require-clean` gate, SARIF export, and a versioned JSON envelope.\n- **Instant package verdicts**: check any `ecosystem:name` ref, bare name, or piped list.\n- **False-positive control**: `--exclude-pkg` file to suppress known-good packages from audit findings.\n- **Fast \u0026 passive**: local cache, background sync; read-only, never touches your apps.\n\n# Installation\n\n```bash\ncurl -sfL https://raw.githubusercontent.com/projectdiscovery/depx/main/scripts/install.sh | sh\n```\n\nDownloads the latest release for your OS/arch (or builds with `go install` as fallback). The script verifies the binary and updates your shell `PATH` when needed.\n\n**From source** (requires **Go 1.25+**):\n\n```bash\ngit clone https://github.com/projectdiscovery/depx.git\ncd depx\nmake build\n./bin/depx --help\n```\n\nOr install with Go directly:\n\n```bash\ngo install github.com/projectdiscovery/depx/cmd/depx@latest\n```\n\nPrebuilt binaries are also on the [GitHub releases](https://github.com/projectdiscovery/depx/releases) page.\n\n# Usage\n\n```bash\ndepx --help\n```\n\nCore commands and flags:\n\n```yaml\nUsage:\n  depx [flags]\n  depx [command]\n\nAvailable Commands:\n  feed        Show recently disclosed malicious packages (cards)\n  audit       Audit dependencies for malicious packages (default: $HOME)\n  github      Audit GitHub repositories via dependency-graph SBOM\n  search      Search known malicious packages by name (local index)\n  id          Lookup advisory by ID\n  version     Show version and check for updates\n  update      Update depx to the latest version\n\nGlobal flags:\n  -j, --json                   Machine-readable JSON output\n  -V, --version                Show version and exit\n  -e, --ecosystem string       Restrict lookup to one ecosystem (npm, PyPI, Go, ...)\n  -v, --verbose                Extra audit/github detail\n      --silent                 Suppress banner and version info\n      --no-color               Disable ANSI colors\n      --config string          Config file path\n      --update                 Update depx to the latest version\n      --disable-update-check   Disable the update check\n\nDefault command (intelligence dashboard):\n      --since string           Feed time window (default \"3d\")\n  -n, --limit int              Dashboard/feed entry cap on default command\n\ndepx feed:\n      --since string           Feed time window (default \"3d\")\n  -n, --limit int              Result limit\n      --list                   One header line per result\n\ndepx search:\n  -n, --limit int              Max results shown (default 25)\n      --list                   One header line per result\n\ndepx audit / depx github:\n      --require-clean          Exit 1 if any malicious package is found\n      --exclude-pkg string     File of ecosystem:package lines to exclude from findings\n  -o, --output string          Write export file(s) to this path or basename\n      --output-format string   Comma-separated export formats: json, csv, txt (default: json)\n      --sarif-export string    Write SARIF 2.1.0 report to this path\n      --sbom-export string     Write audited dependency SBOM (audit only)\n      --sbom-format string     SBOM format: cyclonedx (default) or spdx\n\ndepx github:\n  -n, --limit int              Max repos for org/user targets (default 100 with token, 10 without)\n\ndepx id:\n      --raw                    Raw OSV record only\n```\n\n# Running depx\n\n### 1. Intelligence dashboard (default)\n\n```bash\ndepx                    # dashboard for last 3 days\ndepx --since 7d         # widen the time window\ndepx -e npm             # npm-only dashboard\ndepx feed               # card feed (no dashboard)\ndepx feed --list        # one line per advisory\ndepx -j                 # JSON for dashboards / pipelines\n```\n\n### 2. Audit your dependencies\n\nScans lockfiles and SBOMs against a **local malicious-package index**, instant after the first run. With no path, depx sweeps `$HOME` for projects and global installs.\n\n```bash\ndepx audit              # sweep $HOME for projects + global installs\ndepx audit ./my-app     # a single project tree\ndepx audit ./bom.cdx.json   # a CycloneDX / SPDX file\n```\n\nSupports npm, PyPI, Go, Cargo, RubyGems, Maven/Gradle lockfiles plus CycloneDX / SPDX SBOMs.\n\n**Suppress false positives.** When a package is flagged that you've verified is safe, pass `--exclude-pkg` (on `audit` or `github`) a file of newline-separated `ecosystem:package` entries to drop from findings:\n\n```bash\ndepx audit ./my-app --exclude-pkg .depxignore\ndepx github google --exclude-pkg .depxignore\n```\n\n```text\n# .depxignore: packages to exclude from findings\nnpm:internal-tool\nPyPI:requests\n*:shared-lib        # '*' matches any ecosystem\n```\n\n### 3. Audit GitHub repos \u0026 orgs\n\nUses GitHub's dependency-graph SBOM exports. Set `GITHUB_TOKEN` for private repos and org discovery.\n\n```bash\ndepx github projectdiscovery/depx\ndepx github google\ndepx github\n```\n\nUnauthenticated GitHub access is rate-limited to ~60 requests/hour, so without a token org/user scans default to **10 repos** (vs **100** with a token). Set `GITHUB_TOKEN`, `GH_TOKEN`, or `DEPX_GITHUB_TOKEN` (or raise it explicitly with `-n`) to scan more.\n\n### 4. Check a single package or advisory\n\n```bash\ndepx npm:lodash\ndepx id MAL-2026-4343\ndepx search redhat\n```\n\n### 5. Gate it in CI\n\n`--require-clean` exits non-zero the moment a malicious package is found.\n\n```bash\ndepx audit . --require-clean        # fail the build if anything is malicious\ndepx github google --require-clean -j\n```\n\n| Exit code | Meaning |\n|-----------|---------|\n| `0` | Clean / success |\n| `1` | `--require-clean` and malicious packages found |\n| `2` | Usage error |\n| `3` | Upstream unavailable |\n\n# JSON output\n\nEvery `-j` response uses a stable, versioned envelope so it's safe to build on.\n\n```json\n{\n  \"schema_version\": \"1\",\n  \"command\": \"check\",\n  \"depx_version\": \"v0.1.0\",\n  \"data\": {\n    \"total\": 1,\n    \"results\": [\n      {\n        \"ref\": \"npm:evil-pkg\",\n        \"purl\": \"pkg:npm/evil-pkg\",\n        \"verdict\": \"malicious\",\n        \"confidence\": \"high\",\n        \"ids\": [\"MAL-2026-4343\"],\n        \"package_ecosystem\": \"npm\",\n        \"package_name\": \"evil-pkg\",\n        \"registry_url\": \"https://www.npmjs.com/package/evil-pkg\",\n        \"advisories\": [\n          {\n            \"id\": \"MAL-2026-4343\",\n            \"url\": \"https://github.com/ossf/malicious-packages/blob/main/osv/npm/MAL-2026-4343.json\",\n            \"summary\": \"Malicious code in evil-pkg (npm)\",\n            \"modified_at\": \"2026-06-01T12:00:00Z\",\n            \"published_at\": \"2026-06-01T10:00:00Z\"\n          }\n        ]\n      }\n    ]\n  }\n}\n```\n\nA clean package returns `\"verdict\": \"clean\"`. Bare-name checks may include `checked_ecosystems`, `matched_ecosystems`, and `found_ecosystems` when searching all ecosystems.\n\nSchemas live in [`schema/v1/`](schema/v1/).\n\n# License\n\ndepx is distributed under the [MIT License](LICENSE).\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://discord.gg/projectdiscovery\"\u003eJoin our Discord\u003c/a\u003e • built with ❤️ by the \u003ca href=\"https://projectdiscovery.io\"\u003eProjectDiscovery\u003c/a\u003e team\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprojectdiscovery%2Fdepx","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fprojectdiscovery%2Fdepx","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fprojectdiscovery%2Fdepx/lists"}