DepGuard — Dependency Audit & License Compliance
DepGuard scans your project dependencies for known vulnerabilities, license violations, and outdated packages. It uses native package manager audit tools (npm audit, pip-audit, cargo-audit, etc.) and enriches results with license analysis and risk scoring.
Commands
Free Tier (No license required)
depguard scan [directory]
One-shot vulnerability and license scan of your project dependencies.
How to execute:
�CODEBLOCK0
What it does:
- 1. Detects package manager (npm, yarn, pnpm, pip, cargo, go, composer, bundler, maven, gradle)
- Runs native audit commands (npm audit, pip-audit, cargo audit, etc.)
- Parses dependency manifests for license information
- Generates a security report with severity levels
- Lists packages with problematic or unknown licenses
Example usage scenarios:
- - "Scan my dependencies for vulnerabilities" → runs �INLINECODE1
- "Check the licenses of my node modules" → runs �INLINECODE2
- "Are any of my packages insecure?" → runs �INLINECODE3
depguard report [directory]
Generate a formatted dependency health report in markdown.
CODEBLOCK1
Pro Tier ($19/user/month — requires DEPGUARDLICENSEKEY)
depguard hooks install
Install git hooks that scan dependencies on every commit that modifies lockfiles.
CODEBLOCK2
What it does:
- 1. Validates Pro+ license
- Installs lefthook pre-commit hook targeting lockfile changes
- On every commit that modifies package-lock.json, yarn.lock, Cargo.lock, etc.: runs vulnerability scan, blocks commit if critical/high vulns found
depguard hooks uninstall
Remove DepGuard git hooks.
CODEBLOCK3
depguard watch [directory]
Continuous monitoring — re-scans on any lockfile change.
CODEBLOCK4
depguard fix [directory]
Auto-fix vulnerabilities by upgrading to patched versions where available.
CODEBLOCK5
Team Tier ($39/user/month — requires DEPGUARDLICENSEKEY with team tier)
depguard policy [directory]
Enforce a dependency policy: block specific licenses, require minimum versions, deny specific packages.
CODEBLOCK6
depguard sbom [directory]
Generate a Software Bill of Materials (SBOM) in CycloneDX or SPDX format.
CODEBLOCK7
depguard compliance [directory]
Generate a compliance report for auditors — maps licenses to categories (permissive, copyleft, proprietary, unknown).
CODEBLOCK8
Supported Package Managers
| Manager | Lockfile | Audit Tool |
|---|
| npm | package-lock.json | npm audit |
| yarn |
yarn.lock | yarn audit |
| pnpm | pnpm-lock.yaml | pnpm audit |
| pip | requirements.txt / Pipfile.lock | pip-audit / safety |
| cargo | Cargo.lock | cargo audit |
| go | go.sum | govulncheck |
| composer | composer.lock | composer audit |
| bundler | Gemfile.lock | bundle audit |
| maven | pom.xml | mvn dependency-check |
| gradle | build.gradle | gradle dependencyCheck |
Configuration
Add to ~/.openclaw/openclaw.json:
CODEBLOCK9
Important Notes
- - Free tier works immediately — no configuration needed
- All scanning happens locally using native package manager audit tools
- License validation is offline — no phone-home
- Falls back to manifest parsing if native audit tools aren't available
- Supports monorepos — scans all workspaces/packages
When to Use DepGuard
The user might say things like:
- - "Scan my dependencies for vulnerabilities"
- "Check my package licenses"
- "Are any of my npm packages insecure?"
- "Generate a security audit report"
- "Set up dependency monitoring"
- "Block GPL dependencies in this project"
- "Generate an SBOM"
- "Check if we're compliant with our license policy"
DepGuard — 依赖审计与许可证合规
DepGuard 扫描项目依赖中的已知漏洞、许可证违规和过时包。它使用原生包管理器审计工具(npm audit、pip-audit、cargo-audit 等),并通过许可证分析和风险评分丰富结果。
命令
免费版(无需许可证)
depguard scan [目录]
一次性扫描项目依赖的漏洞和许可证。
执行方式:
bash
bash /scripts/depguard.sh scan [目录]
功能说明:
- 1. 检测包管理器(npm、yarn、pnpm、pip、cargo、go、composer、bundler、maven、gradle)
- 运行原生审计命令(npm audit、pip-audit、cargo audit 等)
- 解析依赖清单以获取许可证信息
- 生成带有严重级别的安全报告
- 列出存在问题的或未知许可证的包
使用场景示例:
- - 扫描我的依赖漏洞 → 运行 depguard scan .
- 检查我的 node 模块的许可证 → 运行 depguard scan . --licenses-only
- 我的包是否有不安全的? → 运行 depguard scan
depguard report [目录]
生成格式化的依赖健康报告(Markdown 格式)。
bash
bash /scripts/depguard.sh report [目录]
专业版($19/用户/月 — 需要 DEPGUARDLICENSEKEY)
depguard hooks install
安装 git 钩子,在每次修改锁定文件的提交时扫描依赖。
bash
bash /scripts/depguard.sh hooks install
功能说明:
- 1. 验证 Pro+ 许可证
- 安装针对锁定文件变更的 lefthook 预提交钩子
- 每次提交修改 package-lock.json、yarn.lock、Cargo.lock 等文件时:运行漏洞扫描,如果发现严重/高危漏洞则阻止提交
depguard hooks uninstall
移除 DepGuard git 钩子。
bash
bash /scripts/depguard.sh hooks uninstall
depguard watch [目录]
持续监控 — 锁定文件发生任何变更时重新扫描。
bash
bash /scripts/depguard.sh watch [目录]
depguard fix [目录]
自动修复漏洞,升级到可用的补丁版本。
bash
bash /scripts/depguard.sh fix [目录]
团队版($39/用户/月 — 需要团队版 DEPGUARDLICENSEKEY)
depguard policy [目录]
强制执行依赖策略:阻止特定许可证、要求最低版本、禁止特定包。
bash
bash /scripts/depguard.sh policy [目录]
depguard sbom [目录]
生成 CycloneDX 或 SPDX 格式的软件物料清单(SBOM)。
bash
bash /scripts/depguard.sh sbom [目录]
depguard compliance [目录]
为审计人员生成合规报告 — 将许可证映射到类别(宽松、版权保护、专有、未知)。
bash
bash /scripts/depguard.sh compliance [目录]
支持的包管理器
| 管理器 | 锁定文件 | 审计工具 |
|---|
| npm | package-lock.json | npm audit |
| yarn |
yarn.lock | yarn audit |
| pnpm | pnpm-lock.yaml | pnpm audit |
| pip | requirements.txt / Pipfile.lock | pip-audit / safety |
| cargo | Cargo.lock | cargo audit |
| go | go.sum | govulncheck |
| composer | composer.lock | composer audit |
| bundler | Gemfile.lock | bundle audit |
| maven | pom.xml | mvn dependency-check |
| gradle | build.gradle | gradle dependencyCheck |
配置
添加到 ~/.openclaw/openclaw.json:
json
{
skills: {
entries: {
depguard: {
enabled: true,
apiKey: YOURLICENSEKEY,
config: {
severityThreshold: high,
blockedLicenses: [GPL-3.0, AGPL-3.0],
allowedLicenses: [MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC],
ignoredVulnerabilities: [],
autoFix: false,
sbomFormat: cyclonedx
}
}
}
}
}
重要说明
- - 免费版 立即可用 — 无需配置
- 所有扫描均在本地进行,使用原生包管理器审计工具
- 许可证验证离线进行 — 无需回传数据
- 如果原生审计工具不可用,则回退到清单解析
- 支持单体仓库 — 扫描所有工作区/包
何时使用 DepGuard
用户可能会说类似这样的话:
- - 扫描我的依赖漏洞
- 检查我的包许可证
- 我的 npm 包是否有不安全的?
- 生成安全审计报告
- 设置依赖监控
- 阻止此项目中的 GPL 依赖
- 生成 SBOM
- 检查我们是否符合许可证策略
