Skip to main content
Dependency Radar
Log in

CI guardrails

Catch risky dependency changes before they land

Use Dependency Radar policy rules and compare mode to fail on newly introduced risk, not permanently on old tolerated debt.

npx dependency-radar
View example report

What it helps with

Review the dependency evidence, not just the lockfile

Dependency Radar runs against your installed JavaScript or TypeScript project and produces a self-contained report. Registry backed audit, outdated, signature, or enrichment checks need registry access unless you run with --offline.

--fail-on rules

Fail builds on selected licence, vulnerability, or supply-chain-source policies. Example: npx dependency-radar --fail-on <policy>.

Compare mode

Compare a current scan against a committed Dependency Radar JSON baseline from your main branch.

New risky traits

Focus CI on newly introduced install scripts, native bindings, bins, sources, and registry signals.

JSON output

Emit structured reports for custom checks, dashboards, and review workflows.

Security tooling

Export SARIF for code scanning and security workflows.

SBOM exports

Generate CycloneDX and SPDX outputs from the same dependency scan.

Noise

Plain npm audit in CI can be too noisy

A flat vulnerability gate often fails forever on old tolerated debt. Dependency Radar is designed to help you gate the change, not just shout about the backlog.

  • Keep audit results in the report
  • Review vulnerabilities alongside dependency context
  • Use policy rules for what should actually fail a build

Policy

Use --fail-on for explicit rules

Policy rules make the build behaviour clear. You decide which licence, vulnerability, or supply-chain-source findings should fail the run.

  • Fail on selected licence policies
  • Fail on selected vulnerability policies
  • Fail on selected supply-chain-source policies
  • Keep the report for review evidence

Delta

Compare against a JSON baseline

Compare mode helps teams focus on new risk. Commit a previous JSON report, scan the current branch, and fail on changes that cross your line.

  • Catch new install scripts
  • Catch new native bindings and executable bins
  • Catch new source signals
  • Catch new execution, package, or registry risk signals

CI portability

Runs anywhere your build runs

Dependency Radar does not require a hosted scanner or GitHub app. Run it in GitHub Actions, GitLab CI, Jenkins, CircleCI, or another pipeline that can run Node.js commands.

  • Emit JSON for automation
  • Emit SARIF for security tooling
  • Emit CycloneDX and SPDX for SBOM workflows
  • Keep HTML reports as build artefacts when useful

Explore other use cases

Licence Audit

Audit license exposure, validate SPDX compliance, and detect declared-vs-inferred mismatches.

Security Review

Scan for supply-chain vulnerabilities, script execution, and risk signals.

Try it

Generate a report locally

Run Dependency Radar in CI to produce JSON, SARIF, CycloneDX, SPDX, and HTML artefacts without adding a hosted scanner or GitHub app.

npx dependency-radar
View example reportBack to homepage →GitHub →