Get started

Two ways to run depproof.

Both produce the same output: a self-contained HTML report, a CycloneDX SBOM, and a pass/fail policy gate. Pick whichever fits where your builds already run.

1 · GitHub Action

Add depproof to any workflow. It resolves the full dependency tree, checks licenses and OSV advisories against your policy, and uploads the report + SBOM as build artifacts.

# .github/workflows/depproof.yml
name: depproof
on: [pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: depproof/depproof-action@v0
        with:
          path: .
          fail-on: copyleft   # copyleft | unknown | vuln-high | none
          sbom: cyclonedx

Pin to a release (@v0.1.5) for reproducible runs, or track @v0 for the latest patch.

2 · Self-hosted container

The same engine ships as one public image (~31MB). No database, no server — it runs and exits, leaving the report behind. Ideal for GitLab CI, Jenkins, or air-gapped pipelines.

# pull the engine
docker pull ghcr.io/depproof/depproof:v0

# audit the current project, write the report locally
docker run --rm -v $PWD:/work ghcr.io/depproof/depproof:v0 \
  scan /work --fail-on copyleft --sbom cyclonedx --out /work/depproof-report.html

Define a policy

Drop a depproof.toml at your project root to declare which licenses are allowed, which are blocked, and the severity threshold that fails a build.

# depproof.toml
[license]
allow = ["Apache-2.0", "MIT", "BSD-3-Clause", "ISC"]
deny  = ["GPL-3.0-only", "AGPL-3.0-only"]
unknown = "warn"        # fail | warn | allow

[vulnerabilities]
source = "osv"
fail_on = "high"          # critical | high | medium | none

What you get out

  • Self-contained HTML report — no external fonts, CDN, or JS. Opens anywhere, safe to archive as evidence.
  • CycloneDX SBOM — the standard artifact for EO 14028 / EU CRA obligations and vendor risk reviews.
  • Exit code — non-zero when policy fails, so it gates PRs and releases like any other check.

This page shows the shape of the workflow; the Marketplace listing and repository README are the source of truth for exact inputs and the current release.