Get started
Two ways to run depproof.
Both produce the same output: a self-contained HTML report, a CycloneDX SBOM, and a pass/fail policy gate. Pick whichever fits where your builds already run.
1 · GitHub Action
Add depproof to any workflow. It resolves the full dependency tree, checks licenses and OSV advisories against your policy, and uploads the report + SBOM as build artifacts.
# .github/workflows/depproof.yml
name: depproof
on: [pull_request]
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: depproof/depproof-action@v0
with:
path: .
fail-on: copyleft # copyleft | unknown | vuln-high | none
sbom: cyclonedx
Pin to a release (@v0.1.5) for reproducible runs, or track
@v0 for the latest patch.
2 · Self-hosted container
The same engine ships as one public image (~31MB). No database, no server — it runs and exits, leaving the report behind. Ideal for GitLab CI, Jenkins, or air-gapped pipelines.
# pull the engine
docker pull ghcr.io/depproof/depproof:v0
# audit the current project, write the report locally
docker run --rm -v $PWD:/work ghcr.io/depproof/depproof:v0 \
scan /work --fail-on copyleft --sbom cyclonedx --out /work/depproof-report.html Define a policy
Drop a depproof.toml at your project root to declare which
licenses are allowed, which are blocked, and the severity threshold that
fails a build.
# depproof.toml
[license]
allow = ["Apache-2.0", "MIT", "BSD-3-Clause", "ISC"]
deny = ["GPL-3.0-only", "AGPL-3.0-only"]
unknown = "warn" # fail | warn | allow
[vulnerabilities]
source = "osv"
fail_on = "high" # critical | high | medium | none What you get out
- Self-contained HTML report — no external fonts, CDN, or JS. Opens anywhere, safe to archive as evidence.
- CycloneDX SBOM — the standard artifact for EO 14028 / EU CRA obligations and vendor risk reviews.
- Exit code — non-zero when policy fails, so it gates PRs and releases like any other check.
This page shows the shape of the workflow; the Marketplace listing and repository README are the source of truth for exact inputs and the current release.