dep-inspector-cli
Advanced tools
DevOps-grade dependency, security & infrastructure scanner for Node.js projects
DevOps-grade dependency, security & infrastructure scanner for Node.js projects.
Version 2 transforms dep-inspector from a dependency analyzer into a full DevOps security toolkit — covering secrets, Docker, CI/CD pipelines, ports, and logging. All features work without any API key. AI insights are optional.
| Command | What it does |
|---|---|
dep-inspector | Dependency tree + vulnerability scan (v1) |
scan:secrets | Detect hardcoded API keys, .env leaks, private keys |
scan:vulns | npm audit wrapper with severity thresholds |
scan:docker | Dockerfile & docker-compose security analysis |
scan:ci | GitHub Actions workflow linting |
scan:ports | Open port detection & process monitoring |
scan:logs | Winston/Morgan/Pino logger health check |
scan:all | Run everything, generate a full report |
npm install -g dep-inspector-cli
dep-inspector # Full analysis
dep-inspector analyze # Same, explicit subcommand
dep-inspector --depth 3 # Limit tree depth
dep-inspector --json # Machine-readable output
dep-inspector --ai # AI-powered insights (optional, needs GROQ_API_KEY)
dep-inspector scan:secrets # Scan current directory
dep-inspector scan:secrets --dir ./src # Scan specific directory
dep-inspector scan:secrets --ai # With AI explanations (optional)
dep-inspector scan:docker # Analyze Dockerfile
dep-inspector scan:docker --file ./docker/Dockerfile
dep-inspector scan:ci # Lint GitHub Actions workflows
dep-inspector scan:ci --dir .github/workflows
dep-inspector scan:ports # Check open ports
dep-inspector scan:logs # Logger health check
dep-inspector scan:all # Full DevOps scan
dep-inspector scan:all --report # + saves HTML report
dep-inspector scan:all --json # + JSON output
dep-inspector scan:all --ai # + AI summary (optional)
scan:secretspassword= / secret= assignments.env filesscan:dockerUSER directive)HEALTHCHECK:latest tag usage (non-reproducible builds)ENV/ARG.dockerignorenpm install without --omit=dev in productionscan:ci::set-output commandpull_request_target + actions/checkout (privilege escalation risk)@main / @latest instead of a versiontimeout-minutes (stuck jobs)scan:portsscan:logswinston-daily-rotate-file (log rotation)LOG_LEVEL environment variableAll commands support --json for machine-readable output:
dep-inspector scan:secrets --json > secrets-report.json
dep-inspector scan:all --json > full-report.json
Severity levels: HIGH · MEDIUM · LOW
The --ai flag sends findings to Groq LLM for human-readable explanations and fix suggestions. It is completely optional — every scan works without it.
# Set once in your shell profile or .env
export GROQ_API_KEY=your_key_here
dep-inspector scan:secrets --ai
dep-inspector scan:all --ai
Get a free key at console.groq.com. If the key is missing, the tool runs normally and skips AI output with a note.
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
dep-inspector:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install dep-inspector
run: npm install -g dep-inspector-cli
- name: Scan secrets
run: dep-inspector scan:secrets --json > secrets.json
- name: Scan dependencies
run: dep-inspector --json > deps.json
- name: Lint CI workflows
run: dep-inspector scan:ci
- name: Upload reports
uses: actions/upload-artifact@v4
with:
name: dep-inspector-reports
path: "*.json"
Fail build on HIGH severity secrets:
dep-inspector scan:secrets --json | node -e "
let d = '';
process.stdin.on('data', c => d += c);
process.stdin.on('end', () => {
const { findings } = JSON.parse(d);
const high = findings.filter(f => f.severity === 'HIGH').length;
if (high > 0) { console.error(high + ' HIGH severity secrets found. Failing build.'); process.exit(1); }
console.log('No HIGH severity secrets found.');
});
"
dep-inspector/
├── src/
│ ├── index.ts # CLI entry — all commands registered here
│ ├── commands/
│ │ ├── analyze.ts # v1 dependency analysis
│ │ ├── scan-secrets.ts # secrets & key scanner
│ │ ├── scan-docker.ts # Dockerfile analysis
│ │ ├── scan-ci.ts # GitHub Actions linter
│ │ ├── scan-ports.ts # port monitor
│ │ ├── scan-logs.ts # logger health check
│ │ └── scan-all.ts # full scan orchestrator
│ └── utils/
│ ├── ai.ts # optional Groq integration
│ ├── audit.ts # npm audit wrapper
│ ├── deps.ts # npm ls wrapper
│ ├── tree.ts # tree printer
│ └── version.ts # semver comparison
├── package.json
└── tsconfig.json
GROQ_API_KEY — only needed for --ai flagscan:secrets — .git history scanning (catch keys that were deleted but committed)scan:docker — docker-compose multi-service analysis--report — full HTML report with charts.depinspectorrcgit clone https://github.com/Nevin100/Dep-inspector-nevin
cd Dep-inspector-nevin
npm install
npm run build
Pull requests welcome. For major changes, open an issue first.
MIT © Nevin Bali
FAQs
DevOps-grade dependency, security & infrastructure scanner for Node.js projects
We found that dep-inspector-cli demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
GitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.
Product
Socket now supports Custom Roles and Repository Access Permissions so organizations can control who can access specific repositories and actions.
Product
Socket MCP now lets AI assistants review org alerts, investigate threats using the Socket threat feed, and inspect package files in addition to dependency scoring.