Dependency Risk Radar is an open-source CLI, library, and GitHub Action for explainable dependency supply-chain risk review.

It scans npm/yarn/pnpm and Python dependency manifests or lockfiles, combines vulnerability, maintenance, license, integrity, and popularity signals, then produces policy-aware reports for local development and CI.

npm install
npm run build
node packages/cli/dist/index.js init
node packages/cli/dist/index.js scan . --offline

This repository includes a local release gate for v1.0 artifacts:

npm run clean
npm run build
npm run lint
npm test
npm run verify:release
npm run pack:dry-run

The GitHub Action is bundled with @vercel/ncc into packages/github-action/dist/index.js, so uses: consumers do not need node_modules in the action checkout.

Useful commands:

dep-risk scan [path] --format table|json|markdown|sarif|cyclonedx
dep-risk scan [path] --fail-on-policy
dep-risk explain <package-name> [path]
dep-risk policy check [path]
dep-risk sbom [path] --output sbom.json
dep-risk diff --base origin/main --head HEAD

• @dependency-risk-radar/core: project detection, parsers, metadata/cache, risk scoring, policy, and reporters.
• @dependency-risk-radar/cli: dep-risk command.
• @dependency-risk-radar/github-action: GitHub Action wrapper around core logic.

v1.0 focuses on npm/yarn/pnpm and Python:

• package.json
• package-lock.json
• yarn.lock
• pnpm-lock.yaml
• npm and pnpm workspaces
• requirements.txt
• requirements-dev.txt
• pyproject.toml
• poetry.lock
• Pipfile.lock

• terminal table
• JSON
• Markdown
• SARIF 2.1.0
• CycloneDX 1.5 SBOM

Dependency Risk Radar does not execute dependency code or install scripts. Default tests are fixture-based and do not require live network access. Runtime network metadata lookups can be disabled with --offline.

See docs/ for full CLI, configuration, policy, GitHub Action, SBOM, and privacy documentation.